Euphoria
22 May 2008, 08:48 PM
Hi Guys,
I have a form which has a captcha security in it. The form works fine if you dont fill out a particular field it will notify you etc, the problem im having is say the random captcha number was "73h64h" i could type in 123456 and it would still send the form, here is the code if it helps
<div align="left">
<?php
if (isset($_POST["op"]) && ($_POST["op"]=="send")) {
/******** START OF CONFIG SECTION *******/
$sendto = "xxx@xxx.com";
$subject = "Contact Enquiry";
// Select if you want to check form for standard spam text
$SpamCheck = "Y"; // Y or N
$SpamReplaceText = "*content removed*";
// Error message prited if spam form attack found
$SpamErrorMessage = "<p align=\"center\"><font color=\"red\">Malicious code content detected.
</font><br><b>Your IP Number of <b>".getenv("REMOTE_ADDR")."</b> has been logged.</b></p>";
/******** END OF CONFIG SECTION *******/
$firstname = $HTTP_POST_VARS['firstname'];
$lastname = $HTTP_POST_VARS['lastname'];
$company = $HTTP_POST_VARS['company'];
$phone = $HTTP_POST_VARS['phone'];
$services = $HTTP_POST_VARS['services'];
$email = $HTTP_POST_VARS['email'];
$message = $HTTP_POST_VARS['message'];
$security_code = $HTTP_POST_VARS['security_code'];
$headers = "From: $email\n";
$headers . "MIME-Version: 1.0\n"
. "Content-Transfer-Encoding: 7bit\n"
. "Content-type: text/html; charset = \"iso-8859-1\";\n\n";
if ($SpamCheck == "Y") {
// Check for Website URL's in the form input boxes as if we block website URLs from the form,
// then this will stop the spammers wastignt ime sending emails
if (preg_match("/http/i", "$firstname")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$lastname")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$company")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$phone")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$services")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$email")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$message")) {echo "$SpamErrorMessage"; exit();}
// Patterm match search to strip out the invalid charcaters, this prevents the mail injection spammer
$pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // build the pattern match string
$firstname = preg_replace($pattern, "", $firstname);
$lastname = preg_replace($pattern, "", $lastname);
$company = preg_replace($pattern, "", $company);
$phone = preg_replace($pattern, "", $phone);
$email = preg_replace($pattern, "", $email);
$services = preg_replace($pattern, "", $services);
$message = preg_replace($pattern, "", $message);
$security_code = preg_replace($pattern, "", $security_code);
// Check for the injected headers from the spammer attempt
// This will replace the injection attempt text with the string you have set in the above config section
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$email = preg_replace($find, "$SpamReplaceText", $email);
$firstname = preg_replace($find, "$SpamReplaceText", $firstname);
$lastname = preg_replace($find, "$SpamReplaceText", $lastname);
$company = preg_replace($find, "$SpamReplaceText", $company);
$phone = preg_replace($find, "$SpamReplaceText", $phone);
$services = preg_replace($find, "$SpamReplaceText", $services);
$message = preg_replace($find, "$SpamReplaceText", $message);
// Check to see if the fields contain any content we want to ban
if(stristr($firstname, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($lastname, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($company, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($phone, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($services, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($message, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
// Do a check on the send email and subject text
if(stristr($sendto, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($subject, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
}
// Build the email body text
$emailcontent = "
-----------------------------------------------------------------------------
WEBSITE CONTACT ENQUIRY
-----------------------------------------------------------------------------
First Name: $firstname
Last Name: $lastname
Company: $company
Phone: $phone
Email: $email
Service: $services
Message: $message
_______________________________________
End of Email
";
// Check the email address enmtered matches the standard email address format
if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,6}$", $email)) {
echo "<p>It appears you entered an invalid email address</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($firstname)) {
echo "<p>Please go back and enter a First Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($lastname)) {
echo "<p>Please go back and enter a Last Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($company)) {
echo "<p>Please go back and enter your Company Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($phone)) {
echo "<p>Please go back and enter your Telephone Number</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($services)) {
echo "<p>Please go back and enter a required Service</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($message)) {
echo "<p>Please go back and type a Message</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($security_code)) {
echo "<p>Please go back and enter the correct security code</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($email)) {
echo "<p>Please go back and enter an Email</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
// Sends out the email or will output the error message
elseif (mail($sendto, $subject, $emailcontent, $headers)) {
echo "<br><br><p><b>Thank You $firstname</b></p><p>We will be in touch as soon as possible.</p>";
}
}
else {
?>
</div>
<br>
</p>
<form method="post">
<input name="op" type="hidden" value="send" />
<fieldset>
<legend>Contact </legend><br />
<table width="315" border="0" cellpadding="0" cellspacing="5">
<tr>
<th width="82" scope="col"><div align="left"><strong>First Name:</strong></div></th>
<th width="8" scope="col"><div align="left"></div></th>
<th width="205" scope="col">
<div align="left">
<input type="text" name="firstname" id="firstname" />
</div></th>
</tr>
<tr>
<th scope="col"><div align="left">Last Name:</div></th>
<th scope="col"> </th>
<th scope="col"><div align="left">
<- (rest of form info here) ->
<th scope="col"> </th>
<th scope="col"><div align="left"><img src="includes/captcha.php" alt="" /></div></th>
</tr>
<tr>
<th scope="col"><div align="left"><strong>Security: </strong></div></th>
<th scope="col"> </th>
<th scope="col"><div align="left">
<input type="text" name="security_code" id="security_code" />
</div></th>
</tr>
<tr>
<th scope="col"> </th>
<th scope="col"> </th>
<th scope="col"> </th>
</tr>
<tr>
<th scope="col"> </th>
<th scope="col"> </th>
<th scope="col"><div align="left">
<input type="submit" name="button" id="button" value="Submit" />
</div></th>
</tr>
</table>
</div>
</fieldset>
</form>
<?php } ?>
</td>
</tr>
</table>
I have a form which has a captcha security in it. The form works fine if you dont fill out a particular field it will notify you etc, the problem im having is say the random captcha number was "73h64h" i could type in 123456 and it would still send the form, here is the code if it helps
<div align="left">
<?php
if (isset($_POST["op"]) && ($_POST["op"]=="send")) {
/******** START OF CONFIG SECTION *******/
$sendto = "xxx@xxx.com";
$subject = "Contact Enquiry";
// Select if you want to check form for standard spam text
$SpamCheck = "Y"; // Y or N
$SpamReplaceText = "*content removed*";
// Error message prited if spam form attack found
$SpamErrorMessage = "<p align=\"center\"><font color=\"red\">Malicious code content detected.
</font><br><b>Your IP Number of <b>".getenv("REMOTE_ADDR")."</b> has been logged.</b></p>";
/******** END OF CONFIG SECTION *******/
$firstname = $HTTP_POST_VARS['firstname'];
$lastname = $HTTP_POST_VARS['lastname'];
$company = $HTTP_POST_VARS['company'];
$phone = $HTTP_POST_VARS['phone'];
$services = $HTTP_POST_VARS['services'];
$email = $HTTP_POST_VARS['email'];
$message = $HTTP_POST_VARS['message'];
$security_code = $HTTP_POST_VARS['security_code'];
$headers = "From: $email\n";
$headers . "MIME-Version: 1.0\n"
. "Content-Transfer-Encoding: 7bit\n"
. "Content-type: text/html; charset = \"iso-8859-1\";\n\n";
if ($SpamCheck == "Y") {
// Check for Website URL's in the form input boxes as if we block website URLs from the form,
// then this will stop the spammers wastignt ime sending emails
if (preg_match("/http/i", "$firstname")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$lastname")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$company")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$phone")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$services")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$email")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$message")) {echo "$SpamErrorMessage"; exit();}
// Patterm match search to strip out the invalid charcaters, this prevents the mail injection spammer
$pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // build the pattern match string
$firstname = preg_replace($pattern, "", $firstname);
$lastname = preg_replace($pattern, "", $lastname);
$company = preg_replace($pattern, "", $company);
$phone = preg_replace($pattern, "", $phone);
$email = preg_replace($pattern, "", $email);
$services = preg_replace($pattern, "", $services);
$message = preg_replace($pattern, "", $message);
$security_code = preg_replace($pattern, "", $security_code);
// Check for the injected headers from the spammer attempt
// This will replace the injection attempt text with the string you have set in the above config section
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$email = preg_replace($find, "$SpamReplaceText", $email);
$firstname = preg_replace($find, "$SpamReplaceText", $firstname);
$lastname = preg_replace($find, "$SpamReplaceText", $lastname);
$company = preg_replace($find, "$SpamReplaceText", $company);
$phone = preg_replace($find, "$SpamReplaceText", $phone);
$services = preg_replace($find, "$SpamReplaceText", $services);
$message = preg_replace($find, "$SpamReplaceText", $message);
// Check to see if the fields contain any content we want to ban
if(stristr($firstname, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($lastname, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($company, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($phone, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($services, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($message, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
// Do a check on the send email and subject text
if(stristr($sendto, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($subject, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
}
// Build the email body text
$emailcontent = "
-----------------------------------------------------------------------------
WEBSITE CONTACT ENQUIRY
-----------------------------------------------------------------------------
First Name: $firstname
Last Name: $lastname
Company: $company
Phone: $phone
Email: $email
Service: $services
Message: $message
_______________________________________
End of Email
";
// Check the email address enmtered matches the standard email address format
if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,6}$", $email)) {
echo "<p>It appears you entered an invalid email address</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($firstname)) {
echo "<p>Please go back and enter a First Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($lastname)) {
echo "<p>Please go back and enter a Last Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($company)) {
echo "<p>Please go back and enter your Company Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($phone)) {
echo "<p>Please go back and enter your Telephone Number</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($services)) {
echo "<p>Please go back and enter a required Service</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($message)) {
echo "<p>Please go back and type a Message</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($security_code)) {
echo "<p>Please go back and enter the correct security code</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($email)) {
echo "<p>Please go back and enter an Email</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
// Sends out the email or will output the error message
elseif (mail($sendto, $subject, $emailcontent, $headers)) {
echo "<br><br><p><b>Thank You $firstname</b></p><p>We will be in touch as soon as possible.</p>";
}
}
else {
?>
</div>
<br>
</p>
<form method="post">
<input name="op" type="hidden" value="send" />
<fieldset>
<legend>Contact </legend><br />
<table width="315" border="0" cellpadding="0" cellspacing="5">
<tr>
<th width="82" scope="col"><div align="left"><strong>First Name:</strong></div></th>
<th width="8" scope="col"><div align="left"></div></th>
<th width="205" scope="col">
<div align="left">
<input type="text" name="firstname" id="firstname" />
</div></th>
</tr>
<tr>
<th scope="col"><div align="left">Last Name:</div></th>
<th scope="col"> </th>
<th scope="col"><div align="left">
<- (rest of form info here) ->
<th scope="col"> </th>
<th scope="col"><div align="left"><img src="includes/captcha.php" alt="" /></div></th>
</tr>
<tr>
<th scope="col"><div align="left"><strong>Security: </strong></div></th>
<th scope="col"> </th>
<th scope="col"><div align="left">
<input type="text" name="security_code" id="security_code" />
</div></th>
</tr>
<tr>
<th scope="col"> </th>
<th scope="col"> </th>
<th scope="col"> </th>
</tr>
<tr>
<th scope="col"> </th>
<th scope="col"> </th>
<th scope="col"><div align="left">
<input type="submit" name="button" id="button" value="Submit" />
</div></th>
</tr>
</table>
</div>
</fieldset>
</form>
<?php } ?>
</td>
</tr>
</table>