Check if the verfication code is right

Question

I try to implement php image verification code, here is in test.php file:

<form method="POST" action="processor.php">
  <div style="float:left;">Code: <input type="text" name="verif_box" style="cursor:text">     </div> 
  <div style="margin-top:0px;position:relative;left:5px;  top:-8px;"><IMG SRC="image.php"></div>
  <input type="submit" name="submit" value="Submit">
</FORM>

Here is image.php:

   $width = 60;
      $height = 24;

 $my_image = imagecreatetruecolor($width, $height);

 imagefill($my_image, 0, 0, 0xFFFFFF);

   for ($c = 0; $c < 110; $c++){
$x = rand(0,$width-1);
$y = rand(0,$height-1);
imagesetpixel($my_image, $x, $y, 0x000000);
}

$sessioncode=rand(0,9999);
  imagestring($my_image, 5, 0, 0, substr(strtoupper(md5("Mytext".$sessioncode)), 0,6),     $textcolor);
 setcookie('tntcon',(md5("Mytext".$sessioncode)));
imagejpeg($my_image);
imagedestroy($my_image);
     exit();

Here is processor.php:

     $verif_box = $_POST["verif_box"];
 if (strtoupper($_COOKIE['tntcon']) == strtoupper($verif_box)) {
  echo "right code";
 } else {
   echo "wrong code";
    }

The problem is that, even I input the right verification code, in the processor.php file always give me "wrong code" message, what I am doing wrong?

I would check that the cookie is being set properly. Have you tried printing both values (cookie and post) in that same line where you print "right code"? — AJJ, Nov 24 '11 at 08:43

trapp · Accepted Answer · 2011-11-25T08:54:31.773

3

You are storing not the code in the cookie but the complete md5-hash of the code.

setcookie('tntcon',(md5("Mytext".$sessioncode)));

Store only the first 6 characters in the cookie.

    setcookie('tntcon',(strtoupper(substr(md5("Mytext".$sessioncode), 0, 6))));

Another (better) option is to store the code the session:

//image.php
session_start();
$_SESSION['code'] = strtoupper(substr(md5('Mytext' . $sessioncode), 0, 6));

//processor.php
session_start();
if ($_SESSION['code'] == strtoupper($_POST["verif_box"])) {
    // Correct code
} else {
    // Incorrect code
    unset($_SESSION['code']);
}

edited Nov 25 '11 at 08:54

answered Nov 24 '11 at 08:39

trapp

86
4

Also if you use an MD5 hash as the captcha image, you are limiting the available character set to 0-9, a-f. It's better to generate a random code from the full alphabet and set of numbers. And for failed attempts, don't forget to clear the code from the session, otherwise your captcha can be easily brute forced. – Zsolt Szeberenyi Nov 24 '11 at 09:04
thanks for the help, do I need to use unset() to clear the session and if I want to generate combination of characters and number, do I need to creat a function by myself? – smith Nov 24 '11 at 12:32
@smith I've added the line for unsetting the session variable to my answer above. To generate a alphanumeric code consisting of 0-9 and a-z take a function from this question: http://stackoverflow.com/questions/1837432/how-to-generate-random-password-with-php – trapp Nov 25 '11 at 08:58

Meisam Mulla · Answer 2 · 2011-11-24T08:48:56.040

0

You are only showing 6 characters in the image but storing the whole md5 hash in the cookie. A better way to do this would be like so:

$captchacode = substr(strtoupper(md5(rand(234,234234))), 2,6);
imagestring($my_image, 5, 0, 0, $captchacode,     $textcolor);
setcookie('tntcon', $captchacode);

edited Nov 24 '11 at 08:48

answered Nov 24 '11 at 08:42

Meisam Mulla

1,845
3
23
37

Check if the verfication code is right

2 Answers2