validate and saving random generated code php

Question

I have this simple php code that generate a random code and display it to the user. I need to verify using a text input if the user insert the displayed code, like a captcha, but i will use this script to redirect the user after the verification,to the registration form page. The code is generated, but i can't verify it, maybe i've missed something in the code?

NB: This is not a spam prevention system. As said in the comments, there are valid solution better than this to prevent spam. This is a starting draft for an user invitation system, if you want to downvote the question please consider this.

<?php 
function randomCode() {
    $code_variable = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz0123456789";
    srand((double)microtime() * 1000000);
    $i = 0;
    $rand_Code = '';
    while ($i <= 7)
        {
        $num = rand() % 33;
        $tmp = substr($code_variable, $num, 1);
        $rand_Code = $rand_Code . $tmp;
        $i++;
        }

    return $rand_Code;
}
$code = randomCode(); 

if(isset ($_POST['verify'])){

    if($_POST['user_code'] == $code ){
        echo 'Valid code.';
        header('Location: index.php');
    }

}

?>
<form method="post" action="">
<input type="text" name="verification_code" disabled value="<? echo $code;?>">
<input type="text" name="user_code">
<button type="submit" name="verify">Verify code</button>
</form>

I hope this is not intended to go into a live site, as its **worse** than useless as a security mechanism — RiggsFolly, May 14 '17 at 13:46
I want to use it on a website only to protect the registration form, this is only the starting draft who i have now. @RiggsFolly what do you mean with the page life cycle? — , May 14 '17 at 13:50
MAJOR POINT: If you send the `code` to the browser it is then visible to anybody. Either using the form or sniffing a connection. As a security mechanism this is a complete disaster. Can I suggest you take great case when considering rolling your own security features, it is the simplest thing to make a complete SNAFU of — RiggsFolly, May 14 '17 at 14:12
@RiggsFolly i will work to add the feature to mail the code to the users so they can insert it and view the registration form page.. — , May 14 '17 at 14:31

score 0 · Accepted Answer · edited May 23 '17 at 11:55

0

You will never get Valid code. being displayed on the screen since every time user clicks on Verify code button, the page will refresh and a new random captcha code will get generated and stored in $code. So that's why $_POST['user_code'] will never be equal to $code.

One workaround would be to append the captcha code in the URL itself, so that you could verify the authenticity of user-inputted captcha by comparing it with $_GET[...] data. So you need to change your form in the following way,

<form method="post" action="?captcha=<?php echo $code; ?>">
    <input type="text" name="verification_code" disabled value="<?php echo $code;?>">
    <input type="text" name="user_code">
    <button type="submit" name="verify">Verify code</button>
</form>

Subsequently, verify captcha in the following way,

// your code
if(isset ($_POST['verify'])){
    if($_POST['user_code'] == $_GET['captcha'] ){
        // your code
    }
}

Sidenote(s):

Don't output anything before the header(...); statement, otherwise you would see headers already sent error. Go through this SO thread to get more info on this.
header(...); alone is not sufficient to redirect the user to a different page, use exit(); after header(...); statement.

edited May 23 '17 at 11:55

Community

1
1

answered May 14 '17 at 13:52

Rajdeep Paul

16,887
3
18
37

ok, i will try with this trick,thank you. Any suggestion on how to mail the code to the user before he can input it? the user @RiggsFolly said that this type of security measure is a bad idea to implement.. So I want to add a mail input where user insert email and get the script generated code to input. – May 14 '17 at 14:03
1

@BrP Don't reinvent the wheel. Use one of the existing recaptcha solutions, for example, [**Google reCaptcha**](https://www.google.com/recaptcha/intro/invisible.html). – Rajdeep Paul May 14 '17 at 14:07
Here here! Definitely dont invent security mechanism until you have taken the PHD in security. And definitely not until after you at least understand the life cycle of a web form. ___REMEBER WEP___ – RiggsFolly May 14 '17 at 14:13
@RajdeepPaul I don't really need a recaptcha solutions, i want just set up a basic invitation code system.. – May 14 '17 at 14:29
1

@BrP *Any suggestion on how to **mail the code** ...?* You can use either of the following solutions, 1. PHP's native [mail()](http://php.net/manual/en/function.mail.php) function 2. [PHP Mailer](http://phpmailer.worxware.com/) 3. [SendGrid API](https://sendgrid.com/) – Rajdeep Paul May 14 '17 at 14:34
@RajdeepPaul i'm trying with mail function of php and it's working perfect. I have only one question, is it possible to use the same form to mail the code to the user and to validate it after the user insert it? – May 14 '17 at 15:14
@BrP Yes, it's possible. – Rajdeep Paul May 14 '17 at 15:17
@RajdeepPaul can you show me an example with the form? I've removed the and modified it to a text input where user can insert his email.Now i have the input field to validate the code, but give me an error because the user need to receive the email to have his code to insert, but after that it will work and show me success message.. – May 14 '17 at 15:22
1

@BrP **The solution is applicable only to live site, not to your localhost**. Save the ** combo in your database, and send a mail to user's email address a link like this, *http://dummyexample.com/?email=user@email.com&captcha=captchacode*. So when the user get this email and clicks on the link, retrieve the corresponding captcha code from the database, based on the email address `$_GET['email']`, and compare it with `$_GET['captcha']`. – Rajdeep Paul May 14 '17 at 15:34
@RajdeepPaul I will try as you suggested, my hope was to not use the db for this propose, but if it's the only solution, i will work in that direction to achieve the objective. – May 14 '17 at 15:39
@RajdeepPaul I've used a simply way to get all works, unfortunately not on the same form. If you want to give a look at the code it will be a pleasure, maybe i've made some mistake or there is any security issue. – May 14 '17 at 19:25

score 0 · Answer 2 · 2017-05-14T19:29:53.520

I've added the php mail() function to send the invitation code to users. It's working fine, i've divided the code into two parts. the first one manage the user invitation code sending:

<form method="post" action="?invitation=<?php echo $code; ?>">
<label for="email">Email</label>    
<input type="text" name="email">
<button type="submit" name="send_invitation">Send invitation code</button>
</form>


<?php
session_start();
ob_start();

if(isset($_POST['send_invitation'])){

function randomCode()
{
$code_variable = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz0123456789";
srand((double)microtime() * 1000000);
$i = 0;
$rand_Code = '';
while ($i <= 7)
    {
    $num = rand() % 33;
    $tmp = substr($code_variable, $num, 1);
    $rand_Code = $rand_Code . $tmp;
    $i++;
    }

return $rand_Code;
}
$_SESSION['code'] = randomCode();
$_SESSION['tmp_mail'] = $_POST['email'];



if(isset($_POST['verify'])){
$to = $_POST['email']; // this is your Email address
$from = "noreply@domain.com"; // this is the sender's Email address
$subject = "Affiliate invitation code";
$message = $_SESSION['code'] . " " . " is your invitation code.";


$headers = "From:" . $from;

mail($to,$subject,$message,$headers);

echo "Mail Sent. Thank you " . $first_name . ", we will contact you shortly.";
}
?>

The second part of the script is on another page and manage the check for the code matching between stored code into the $_SESSION['code'] variable and the user input

<?php 
session_start();
ob_start();
function redirect(){
header('refresh:3; url=affiliate/index.php');
exit;
}

if(isset($_POST['verify'])){

if($_POST['user_code'] == $_SESSION['code']){    
echo "Valid invitation code. You can now register using $_SESSION['tmp_mail'] email address.";
} else { echo "Wrong code. Please enter a valid code or request a new one."; }
?>
<form method="post" action="?invitation=<?php echo $code; ?>">
<label for="Code">Invitation Code</label>    
<input type="text" name="user_code">
<button type="submit" name="verify">Send invitation code</button>
</form>

validate and saving random generated code php

2 Answers2