Form cannot be validate using captcha

Question

i got a problem here, my form cannot do validation using captcha,, means if the captcha empty, the form still can be sent to my database,,

This is my PHP connection code for sending the message to my database

<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "test";
//Define the database

session_start();
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
//Pick data from table in HTML

$conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
if (empty($name)){
    echo '<script>alert("Name cannot be blank. Please insert your name.");
        window.history.go(-1);
        </script>';
    die();
}
if (empty($email)){
    echo '<script>alert("Your message has been sent. Thank you for your cooperation.");
        window.history.go(-1);
        </script>';
    die();
}
if (empty($message)){
    echo '<script>alert("Please tell us what is in your mind. Thank you.");
        window.history.go(-1);
        </script>';
    die();
}
if(empty($_SESSION['code'] ) ||
     strcasecmp($_SESSION['code'], $_POST['code']) != 0)
{
    //Note: the captcha code is compared case insensitively.
    //if you want case sensitive match, update the check above to
    // strcmp()
    $errors .= "\n The captcha code does not match!";
}
//Error message of the form

$sql = "INSERT INTO testingdb (Name, Email, Message)
VALUES ('$name', '$email', '$message')";

if($conn->query($sql) === TRUE)  {
    echo '<script>
            alert("Your message has been sent. Thank you for your cooperation.");
        </script>';
    header("Location: {$_SERVER['HTTP_REFERER']}");
        function goback(){
            echo '<script>alert("Your message has been sent. Thank you!");</script>';
            header("Location: {$_SERVER['HTTP_REFERER']}");
            exit;
        }
        goback();
} else {
    echo "Error " . $sql . "<br>" . $conn->error;
}
//Insert data from HTML table to database

// Function to validate against any email injection attempts
function IsInjected($str)
{
  $injections = array('(\n+)',
              '(\r+)',
              '(\t+)',
              '(%0A+)',
              '(%0D+)',
              '(%08+)',
              '(%09+)'
              );
  $inject = join('|', $injections);
  $inject = "/$inject/i";
  if(preg_match($inject,$str))
    {
    return true;
  }
  else
    {
    return false;
  }
}
?>

$conn->close();
?>

This is my form in HTML

      <form id="contact_form" action="connection.php" method="POST" enctype="multipart/form-data">
    <div class="row">
        <input id="name" class="input" name="name" type="text" value="" size="30" placeholder="Your Name*" onFocus="this.placeholder = ''" onBlur="this.placeholder = 'Your Name *'" /><br />
    </div>
    <div class="row" style="margin-top:10px">
        <input id="email" class="input" name="email" type="text" value="" size="30" placeholder="Your Email*" onFocus="this.placeholder = ''" onBlur="this.placeholder = 'Your Email *'" /><br />
    </div>
    <div class="row" style="margin-top:10px">
        <textarea id="message" class="input" name="message" rows="7" cols="31" placeholder="Your Messages *" onFocus="this.placeholder = ''" onBlur="this.placeholder = 'Your Messages *'"  ></textarea><br />
    </div>
    <img src="captcha_code_file.php?rand=<?php echo rand(); ?>" id='captchaimg' style="margin-top:10px" ><br>
        <input id="code" class="input" name="code" type="text" value="" size="32" placeholder="Your Code Here *" onFocus="this.placeholder = ''" onBlur="this.placeholder = 'Your Code Here *'" style="margin-top:10px"><br>
    <p> <button id="submit_button" type="submit" style="cursor:pointer">Submit</button>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        <button id="reset_button" type="reset" style="cursor:pointer">Reset</button></p>
</form>

I'm pretty new in coding and in here, so can someone help me? And also i'm sorry if my english are bad.. I use this link as example http://webdesignpub.com/html-contact-form-captcha/

Answer 1

You need to set $_SESSION['code'] to whatever the captcha image is showing when you send the form such that you can compare it to $_POST['code'] when you have retrieved the posted data on the next request.

I'm not sure what captcha_code_file.php does, as you haven't included it, but if it just shows the random number then it might work if you change:

<img src="captcha_code_file.php?rand=<?php echo rand(); ?>" id='captchaimg' ...

into

<img src="captcha_code_file.php?rand=<?php echo $_SESSION['code'] = rand(); ?>" id='captchaimg' ...