whats wrong with this php script? (captcha)

Question

I am trying to add a simple captcha to an hml form. Code is originally from here

here is the PHP script that generates the image and stores the captcha variable:

<?php

session_start();

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); 

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 

header("Cache-Control: no-store, no-cache, must-revalidate"); 

header("Cache-Control: post-check=0, pre-check=0", false);

header("Pragma: no-cache"); 



function _generateRandom($length=6)

{

    $_rand_src = array(

        array(48,57) //digits

        , array(97,122) //lowercase chars

//      , array(65,90) //uppercase chars

    );

    srand ((double) microtime() * 1000000);

    $random_string = "";

    for($i=0;$i<$length;$i++){

        $i1=rand(0,sizeof($_rand_src)-1);

        $random_string .= chr(rand($_rand_src[$i1][0],$_rand_src[$i1][1]));

    }

    return $random_string;

}



$im = @imagecreatefromjpeg("captcha.jpg"); 

$rand = _generateRandom(3);

$_SESSION['captcha'] = $rand;

ImageString($im, 5, 2, 2, $rand[0]." ".$rand[1]." ".$rand[2]." ", ImageColorAllocate ($im, 0, 0, 0));

$rand = _generateRandom(3);

ImageString($im, 5, 2, 2, " ".$rand[0]." ".$rand[1]." ".$rand[2], ImageColorAllocate ($im, 255, 0, 0));

Header ('Content-type: image/jpeg');

imagejpeg($im,NULL,100);

ImageDestroy($im);

?>

here is the script that validates the entered captcha:

<?php

if($_SESSION["captcha"]==$_POST["captcha"])

{

    //CAPTHCA is valid; proceed the message: save to database, send by e-mail ...

    echo 'CAPTHCA is valid; proceed the message';

}

else

{

    echo 'CAPTHCA is not valid; ignore submission';

}

?>

Problem is that the session seems to be storing only 3 chars, so the values never match - since the generated image has 6 chars.

The code above is a bit strange (I must admit I am not used the image library API). But I dont know why we call _generateRandom() with arg value of 3, and also, why imagestring is being called twice ???

Answer 1

IF you don't want to use the "only black colored numbers" functionality, just add a

$_SESSION['captcha'] .= $rand;

after second call of ImageString.

Answer 2

Here's the solution (the original code was f00ked!):

That will teach me to try to cut corners by "lifting" code off of the internet :p

The part of the code that stores the captcha should be rewritten like this:

<?php
$rand1 = _generateRandom(3);

imagestring($im, 5, 2, 2, $rand1[0]." ".$rand1[1]." ".$rand1[2]." ", imagecolorallocate($im, 0, 0, 0));

$rand2 = _generateRandom(3);
imagestring($im, 5, 2, 2, " ".$rand2[0]." ".$rand2[1]." ".$rand2[2], imagecolorallocate($im, 255, 0, 0));
imagejpeg($im,null,100);

$value_to_store = $rand1[0].$rand2[0].$rand1[1].$rand2[1].$rand1[2].$rand2[2];

?>

Answer 3

You are initializing it with

$rand = _generateRandom(3);

$_SESSION['captcha'] = $rand;

And generating the images from

ImageString($im, 5, 2, 2, $rand[0]." ".$rand[1]." ".$rand[2]." ", ImageColorAllocate ($im, 0, 0, 0));

$rand = _generateRandom(3);

ImageString($im, 5, 2, 2, " ".$rand[0]." ".$rand[1]." ".$rand[2], ImageColorAllocate ($im, 255, 0, 0));

And then the second $rand is not being stored in $_SESSION.

Answer 4

Display the following text alongside the CAPTCHA input: "Enter the 3 black symbols (ignore the red ones)"

:D

Since only the black characters are stored in the Session.

UPDATE: I checked the link you provided and it has the text: "(antispam code, 3 black symbols)" above the CAPTCHA input box.