[php]Problem with rand

[Pieman]

I'm making a reply script at the moment which requires you to enter a security code to prevent spamming.

this is the script I use for it:

<?php 
$scode = rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9);
if(!isset($_POST['submit'])) {
?>
<div>
<form action ="<?php echo $_SERVER['PHP_SELF']; ?>" method ="post">
Name: 
<br/><input name="name" size="20" type="text" align="left" maxlength="20">
<br/>
Enter the security code: 
<br/><input name ="code" size="20" type="text" align="left"><?php echo"$scode";?>
<br/>
Message:
<br/>
<textarea name="message" rows="5" cols="50"> Adding comments hasn't been enabled yet.</textarea>
<input type="submit" name="submit" value="Go">
</form>
</div>
<?php
} else {

if($_POST['code'] == $scode) { ...rest of script} else {echo "Wrong security code";)

The problem is that the $scode that is being echoed, and the $scode in the if-statement. Aren't the same, because it apparently rands again in the if-statement. I've tried $_GET['$scode'] But that didn't really work.
Any suggestions?

 

[Equal]

I use verification with images.

random.php

<?php
session_start();

// make a string with all the characters that we 
// want to use as the verification code
$alphanum  = "abcdefghijklmnopqrstuvwxyz0123456789";

// generate the verication code 
$rand = substr(str_shuffle($alphanum), 0, 5);

// create the hash for the verification code
// and put it in the session
$_SESSION['image_random_value'] = md5($rand);

// create the image
$image = imagecreate(100, 30);

// use white as the background image
$bgColor = imagecolorallocate ($image, 255, 255, 255); 

// the text color is black
$textColor = imagecolorallocate ($image, 0, 0, 0); 

// write the random number
imagestring ($image, 5, 25, 8,  $rand, $textColor); 
	
// send several headers to make sure the image is not cached	
// taken directly from the PHP Manual
	
// Date in the past 
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); 

// always modified 
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); 

// HTTP/1.1 
header("Cache-Control: no-store, no-cache, must-revalidate"); 
header("Cache-Control: post-check=0, pre-check=0", false); 

// HTTP/1.0 
header("Pragma: no-cache"); 	


// send the content type header so the image is displayed properly
header('Content-type: image/jpeg');

// send the image to the browser
imagejpeg($image);

// destroy the image to free up the memory
imagedestroy($image);
?>

Script:

<?
session_start();
$number = $_POST['code'];

if(!isset($_POST['submit'])) {
?>
<div>
<form action ="<?php echo $_SERVER['PHP_SELF']; ?>" method ="post">
Name: 
<br/><input name="name" size="20" type="text" align="left" maxlength="20">
<br/>
Enter the security code: 
<br/><input name ="code" size="20" type="text" align="left"><img src="random.php">
<br/>
Message:
<br/>
<textarea name="message" rows="5" cols="50"> Adding comments hasn't been enabled yet.</textarea>
<input type="submit" name="submit" value="Go">
</form>
</div>
<?php
} else {
if (md5($number) == $_SESSION['image_random_value']) {
SCRIPT
} else {
echo "Wrong security code";
}
?>

 

[ZoopaJr]

<?php 
$scode = rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9);
if(!isset($_POST['submit'])) {
?>
<div>
<form action ="<?php echo $_SERVER['PHP_SELF']; ?>" method ="post">
Name: 
<br/><input name="name" size="20" type="text" align="left" maxlength="20">
<br/>
Enter the security code: 
<br/><input name ="code" size="20" type="text" align="left"><?php echo"$scode";?>
<br/>
Message:
<br/>
<textarea name="message" rows="5" cols="50"> Adding comments hasn't been enabled yet.</textarea>
<input type="submit" name="submit" value="Go">
</form>
</div>
<?php
} else {

if($_POST['code'] == $scode) { ...rest of script} else {echo "Wrong security code";)

I'm not really good at PHP, but I think the first that happens: you generate a random number, then if the user hasn't clicked on submit, the form is created (and there the echo). after het clicks on submit, the whole page gets reloaded, and the first thing that happens again is, that you create a new random number. so probably you shoud swap these lines:

$scode = rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9);
if(!isset($_POST['submit'])) {

-->

 if(!isset($_POST['submit'])) {
 $scode = rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9);

I might be wrong though, never really used php

EDIT: hmm but then, if the page reloads, $scode is empty again I think, so you should probably save it somewhere..

 

[Pieman]

@ Equal: That's a bit too advanced for my script really.
@ ZoopaJr: Nope, does not work.

 

[Daevius]

Ofcourse it is different. You first generate the random code, than display it in the form. The form gets submitted and the page is refreshed. Than you generate a random code AGAIN, which is not the same as what the user entered.

   <?php
session_start();
if(!isset($_POST['submit'])) {
$_SESSION['scode'] = rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9) . rand(1,9);
?>
<div>
<form action ="<?php echo $_SERVER['PHP_SELF']; ?>" method ="post">
Name: 
<br/><input name="name" size="20" type="text" align="left" maxlength="20">
<br/>
Enter the security code: 
<br/><input name ="code" size="20" type="text" align="left"><?php echo $_SESSION['scode'];?>
<br/>
Message:
<br/>
<textarea name="message" rows="5" cols="50"> Adding comments hasn't been enabled yet.</textarea>
<input type="submit" name="submit" value="Go">
</form>
</div>
<?php
} else {

if($_POST['code'] == $_SESSION['scode']) { ...rest of script} else {echo "Wrong security code";)

It is best to use GD lib for this kind of verifications (bot/human). This will generate an image with the code, encrypts the code and puts m in a DB. That is much saver as bots in your script will just be able to read the code (just like users can copy paste it).

 

[Pieman]

Ah thanks again Daevius.

 

[Wh005h]

Yah... you could just make the bot copy and paste the code...
There's a post somewhere in here that has a few good scripts for gd catchpas.

 

[Pieman]

Yea, I know it isn't a really good protection. But I don't think anyone would write a script just to spam my comic site...

 

[FrostDeamon]

Well, I didn't read any post but the first one, but I got 2 suggestions that might help:
1. Use mt_rand() instead. It's better and faster
2. Store the rands in a DB, and send the code as a hidden field in the form.
3. Hi Pieman, been forever ;]


[Fd]

 

[Daevius]

As a hidden field? That would be just as insecure. Javascript injection and they can even choose what code they want to fill in...