xanderman
01-11-2008, 01:27 AM
Keep in mind that i wrote this for something diffrent, and you may need to change the "Injection Dection"
Using CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), For those not so technically inclined, "It's Those Image Verification Things"
To break it down a bit, You can send Form data one of two ways through your HTTP Header.
A. Which is used most Commonly is POST.
POST sends the values of the form in the HTTP Request, you cannot see this through your browser, well unless you hack it out a bit .
B. GET
GET Also acts like post, but these you can see in your browser as part of the address file.extension?this=that&that=this.
Issue:
The issue is that most form fields are static, meaning the name dosent change, so a Bot could simply send the HTTP request over and over again with different values and next thing you know, you got 1k account created on your kal server.
Solution:
If we create a CAPTCHA System, this greatly reduced the chance of a bot being used to create accounts, all though it is still possible, this greatly decreases the chances of a bot making accounts.
Now that I've finished the Introduction to this guide, which most of you probably wont even read, Lets get to the code!!!
First, we will start with the basic HTML form.
<form id="kalreg" name="kalreg" method="post" action="process.php">
User ID:
<input type="text" name="user" id="user" />
<br />
<br />
Password:
<input type="text" name="pass" id="pass" />
<br />
<br />
Image Verfication: <img src="captcha.php" /><br />
<br />
Image Verfication Code:
<input type="text" name="imgver" id="imgver" />
<br />
<br />
<input type="submit" name="button" id="button" value="Register" />
</form>Basically this just displays our form, and our CAPTCHA image (Which we will get to next)
Now that we have got our form displaying, lets make the CAPTCHA, This process actually, isn't difficult.
<?php
#since we are storing our data using Sessions, we need to start a session
session_start();
#$bg_image is the image that will be used for the background of our captcha
#you will have to replace the value with your bg image.
$bg_image = "path2urimage";
#we're going to put some lines throughout the image to make it a bit harder for bots to crack
#to color the lines, we need to fill in the color fields using RGB values (0-255 for each color)
$line_color = array(
"R" => 150,
"G" => 150,
"B" => 150
);
#set the number of line to display in our captcha
$numLines = 5;
#set the length of the key to display in our captcha
$keyLength = 7;
#set the color of the text in our captcha
$textcolor = array(
"R" => 255,
"G" => 0,
"B" => 0
);
#get some file attribures of our bg image, all we are going to use is witdth and height.
list($width, $height, $type, $attr) = getimagesize($bg_image);
#using PHP's GD Library, we're going to create our base captcha, which starts with our BG image.
$captcha = imagecreatefromgif($bg_image);
#sets the color for our key, the color was defined above.
$keycol = imagecolorallocate($captcha, $textcolor["R"],$textcolor["G"],$textcolor["B"]);
#start a loop to add our lines to our captcha
for($i = 0; $i < $numLines; $i++)
{
$line = imagecolorallocate($captcha,$line_color["R"],$line_color["G"],$line_color["B"]);
imageline($captcha,rand(0, $width),rand(0,$height),rand(0, $width),rand(0,$height),$line);
}
#generate our random key
$string = GenKey($keyLength);
#add our random key to our captcha
imagestring($captcha, 9, rand(1, 30), rand(1, 15), $string, $keycol);
#encrypt our key and add it to our session data.
$_SESSION['key'] = md5($string);
#send HTTP header to tell client we're going to display an image.
header("Content-type: image/png");
#dsplay image
imagepng($captcha);
function GenKey ($length)
{
#define the letter / number that will be used in our key.
$chars = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
#start a loop to make the key.
for($i = 0; $i < $length; $i++)
{
#pick a random start place in the string
$rand_start = rand(1, strlen($chars) - 1);
#add this character to our key
$key .= substr($chars, $rand_start, 1);
}
#return our key
return $key;
}
?>Now that we have our form, generating our captcha image. Lets move on to checking to see if they entered the right code, and that they are not trying to make an injection to our SQL.
<?php
#start a loop through our POST data
foreach($_POST as $k => $v)
{
#start a check for SQL injections.
#this is kinda nub here, you can make it better by just escaping stings and what not.
if(strstr($v, "'") || strstr($v, '"') || strstr($v, "\\") || strstr($v, "/"))
{
#if we detect an injection, stop the script.
die("Injection Detected");
}
}
#if everthing went through ok....
#extract our POST data from its array
extract($_POST);
#check to see if they entered the correct image code.
if($_SESSION['key'] != md5($imgver))
{
#if the did not stop the script
die("Image Verfication Failed!");
}
else
{
#here is where you can put your query / SQL connection to create the account
}
?>That concludes the tutorial, but here are a few things you can do to make it a bit harder for bots to crack.
add more lines.
make the color of the lines and text random by using PHP's rand function.
use a random background image.
If you have any question or comments, please feel free to post back.
Using CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), For those not so technically inclined, "It's Those Image Verification Things"
To break it down a bit, You can send Form data one of two ways through your HTTP Header.
A. Which is used most Commonly is POST.
POST sends the values of the form in the HTTP Request, you cannot see this through your browser, well unless you hack it out a bit .
B. GET
GET Also acts like post, but these you can see in your browser as part of the address file.extension?this=that&that=this.
Issue:
The issue is that most form fields are static, meaning the name dosent change, so a Bot could simply send the HTTP request over and over again with different values and next thing you know, you got 1k account created on your kal server.
Solution:
If we create a CAPTCHA System, this greatly reduced the chance of a bot being used to create accounts, all though it is still possible, this greatly decreases the chances of a bot making accounts.
Now that I've finished the Introduction to this guide, which most of you probably wont even read, Lets get to the code!!!
First, we will start with the basic HTML form.
<form id="kalreg" name="kalreg" method="post" action="process.php">
User ID:
<input type="text" name="user" id="user" />
<br />
<br />
Password:
<input type="text" name="pass" id="pass" />
<br />
<br />
Image Verfication: <img src="captcha.php" /><br />
<br />
Image Verfication Code:
<input type="text" name="imgver" id="imgver" />
<br />
<br />
<input type="submit" name="button" id="button" value="Register" />
</form>Basically this just displays our form, and our CAPTCHA image (Which we will get to next)
Now that we have got our form displaying, lets make the CAPTCHA, This process actually, isn't difficult.
<?php
#since we are storing our data using Sessions, we need to start a session
session_start();
#$bg_image is the image that will be used for the background of our captcha
#you will have to replace the value with your bg image.
$bg_image = "path2urimage";
#we're going to put some lines throughout the image to make it a bit harder for bots to crack
#to color the lines, we need to fill in the color fields using RGB values (0-255 for each color)
$line_color = array(
"R" => 150,
"G" => 150,
"B" => 150
);
#set the number of line to display in our captcha
$numLines = 5;
#set the length of the key to display in our captcha
$keyLength = 7;
#set the color of the text in our captcha
$textcolor = array(
"R" => 255,
"G" => 0,
"B" => 0
);
#get some file attribures of our bg image, all we are going to use is witdth and height.
list($width, $height, $type, $attr) = getimagesize($bg_image);
#using PHP's GD Library, we're going to create our base captcha, which starts with our BG image.
$captcha = imagecreatefromgif($bg_image);
#sets the color for our key, the color was defined above.
$keycol = imagecolorallocate($captcha, $textcolor["R"],$textcolor["G"],$textcolor["B"]);
#start a loop to add our lines to our captcha
for($i = 0; $i < $numLines; $i++)
{
$line = imagecolorallocate($captcha,$line_color["R"],$line_color["G"],$line_color["B"]);
imageline($captcha,rand(0, $width),rand(0,$height),rand(0, $width),rand(0,$height),$line);
}
#generate our random key
$string = GenKey($keyLength);
#add our random key to our captcha
imagestring($captcha, 9, rand(1, 30), rand(1, 15), $string, $keycol);
#encrypt our key and add it to our session data.
$_SESSION['key'] = md5($string);
#send HTTP header to tell client we're going to display an image.
header("Content-type: image/png");
#dsplay image
imagepng($captcha);
function GenKey ($length)
{
#define the letter / number that will be used in our key.
$chars = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
#start a loop to make the key.
for($i = 0; $i < $length; $i++)
{
#pick a random start place in the string
$rand_start = rand(1, strlen($chars) - 1);
#add this character to our key
$key .= substr($chars, $rand_start, 1);
}
#return our key
return $key;
}
?>Now that we have our form, generating our captcha image. Lets move on to checking to see if they entered the right code, and that they are not trying to make an injection to our SQL.
<?php
#start a loop through our POST data
foreach($_POST as $k => $v)
{
#start a check for SQL injections.
#this is kinda nub here, you can make it better by just escaping stings and what not.
if(strstr($v, "'") || strstr($v, '"') || strstr($v, "\\") || strstr($v, "/"))
{
#if we detect an injection, stop the script.
die("Injection Detected");
}
}
#if everthing went through ok....
#extract our POST data from its array
extract($_POST);
#check to see if they entered the correct image code.
if($_SESSION['key'] != md5($imgver))
{
#if the did not stop the script
die("Image Verfication Failed!");
}
else
{
#here is where you can put your query / SQL connection to create the account
}
?>That concludes the tutorial, but here are a few things you can do to make it a bit harder for bots to crack.
add more lines.
make the color of the lines and text random by using PHP's rand function.
use a random background image.
If you have any question or comments, please feel free to post back.