Forum Moderators: coopster
If the forms passed the 1st step validation, they print a confirmation page with a numerical equation (same type as Matt Cutt's).
At the moment I create the equation upon successful form validation (1st step) and put the result of the equation in a $_SESSION variable. I use it to check the result given by the form on the second step.
What I am wondering is whether this method is 'safe'. I mean could a form spammer check the session vars and use the session set for the captcha result and automatically add the right value in a $_POST for the form on the second step?
Another way of thinking is to look beyond the first set of security, if they cannot pass through security level one and two, perhaps they could bypass it and grab the form.
Also not a bad idea to add an ereg_replace() to rem/replace either or both CC and BCC.
Funny how one becomes swiftly some sort of expert on a given problem when the problem hits you in the face :)
<edit>
Don't forget adding " : " to CC: and BCC:
or you could remove some needeed double c characters
</edit>
You should first delete the previous/existing email/s account/s while updating the security.
Updating security won't help that much (At least in the immediate) if the spammers already got a bunch of email addresses.
I also recommend checking if it is possible to reach the form and submitting by bypassing your security “watchdogs”
The CC: and BCC: section is related to spammers passing their spams via CC and BCC as such if no CC/BCC is allowed you could at least win that one fight.
If you have access to your own mail server you could disallow CC and BCC
But that’s pretty drastic.
No it's not an existing site, it's a new one I am currently working on.
The form steps and the security check are on a $_SERVER['PHP_SELF'] page. Everything happens on the same page. To bypass the security and send an email the spammers would have to create all the right $_SESSION vars with the right type of data and hit the right number for the captcha.
I think that having everything on the same page makes it harder to 'bypass'. Am I right?
I think that having everything on the same page makes it harder to 'bypass'. Am I right?
It sounds pretty hard to bypass, but I don't think that having it on the same pages makes any difference. If anything, I would have thought that it would be easier, because all the required fields can be submitted to the one page?
Further if I am correct there are reports of breaking
CAPTCHA.
The real deal lies in checking thoroughly any sort of input, making sure that SUBMITTED DATA IS DATA EXPECTED, even drop box input needs to be verified.
And making sure that no CC or BCC could be injected
If anything, I would have thought that it would be easier, because all the required fields can be submitted to the one page?
barns101, some filed only become visible once the first step has been verified and the data that has been verified has been stored in a $_SESSION.
Further if I am correct there are reports of breaking CAPTCHA.
Yes there are people out there that spend their time trying to break them (a search for 'list of broken captchas' on google will return some good sites). I think I read some time ago that software for image recognition were better are 'seeing' the captchas than most humans. There were 4 or 5 things making captchas 'hard to read' and humans were only better at one of them.
I used the 'numerical' CAPTCHA because the site is about website accessibility and I couldn't justify the use of an image that 90% of people can't see.
The real deal lies in checking thoroughly any sort of input, making sure that SUBMITTED DATA IS DATA EXPECTED, even drop box input needs to be verified.
And making sure that no CC or BCC could be injected
yep, as Chris Shifflett wrote (I think I once talk to you about reading the book), if you use drop down, verify data with a switch statement to only accept the values that it's supposed to give back.
