# PHP Implementing CAPTCHA in PHP

1. May 5, 2010

### bigdawg723

Hello All,

First and foremost, thanks for the help in the past. I've got a new issue and I think it's going to be fairly easy! (fingeres crossed)

OK, I'm implementing SecurImage (Phpcaptcha.org) onto my website.

I've got everything installed and working correctly except for error handling. Basically... my form processes everything on a seperate PHP page. On my form page, I have the captcha image displaying properly, the input fields inserted properly, and now I just need the validation to work. As it stands, you can input anything into the captcha field and it will send... simply because I can't figure out where to place the error handling code from the CAPTCHA script in my validation page.

Here's what PhpCaptcha has for instruction:

Now... here's where I run into trouble... I keep trying to place that code somewhere in my page... but the entire site goes down each time. I'm messing it up as I don't know where, in the form processing/error handling code, to place it.

Here's the code from my 'form processor' page.

PHP:
//Contact Process
function contactProcess() {
$name =$_POST['name'];
$emailAddress =$_POST['email'];
$phone1 =$_POST['phone1'];
$phone2 =$_POST['phone2'];
$phone3 =$_POST['phone3'];
$phoneNumber =$phone1.'-'.$phone2.'-'.$phone3;
$orderNumber =$_POST['order'];
$message =$_POST['message'];
$subject =$_POST['subject'];

if (!$_POST['name'] || !$_POST['email'] || !$_POST['message']) {$msg = "<strong>ERROR: Missing fields. Please fill all required fields and re-submit the form.</strong>";
} else {

if(empty($_SESSION['proName'])) {$sql = "INSERT INTO tbl_contacts(con_name, con_email, con_phone, con_order, con_subject, con_message, con_date) VALUES('$name', '$emailAddress', '$phoneNumber', '$orderNumber', '$subject', '$message', NOW())";
} else {
$sql = "INSERT INTO tbl_contacts(con_name, con_email, con_phone, con_order, con_subject, con_message, con_date, con_des_name) VALUES('$name', '$emailAddress', '$phoneNumber', '$orderNumber', '$subject', '$message', NOW(), '".$_SESSION['proName']."')";
}

$result = dbQuery($sql);

{

if(empty($_SESSION['proName'])) {$to = 'name@MYSITE.com';
/*
$to = 'name@MYSITE.com' . ', '; // comma is intentional$to .= 'name@MYSITE.com';
*/

//$to = 'email@gmail.com'; } else {$selectDes = "SELECT * FROM tbl_distributor WHERE des_lname = '".$_SESSION['proName']."'";$queryResult = dbQuery($selectDes);$rowDes = dbFetchAssoc($queryResult);$to = $rowDes['des_email']; } //////////////////$frmtd_name = stripslashes($_POST['name']);$comments = nl2br(stripslashes($_POST['message']));$submitted_subject = $_POST['subject'];$subject = 'Web site contact form inquiry';
$message = ' <html> <head> <title>Web site contact form inquiry</title> </head> <body> <div style="font-family:arial; display:block; width:650px; padding:7px; border:solid 1px navy; background-color:#f3f8f8;"> A new inquiry has just been submitted through the website.<br><br> <strong>Subject:</strong> ' .$submitted_subject.'<br>
<strong>Name:</strong> '
.$frmtd_name.'<br> <strong>Email Address:</strong> ' .$emailAddress.'<br>
<strong>Phone Number:</strong> '
.$phoneNumber.'<br> <strong>Order Number:</strong> ' .$orderNumber.'<br>
<br>
<strong>Message:</strong><br>
'
.$comments.' <br><br> <small>System Generated Email</small> </div> </body> </html> ' ;$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";$headers .= 'From: '.$frmtd_name.' <'.$emailAddress.'>' . "\r\n";

if (mail($to,$subject, $message,$headers)) {

///////////////////

$msg = "Your message has been successfully sent"; } else {$msg = "<strong>Error: Message could not be sent</strong>";
}

}
} // else - if (!$_POST['name'] || !$_POST['email'] || !$_POST['message']) return$msg;
}

function stripText($text) {$text = strtolower(trim($text));$clean = ereg_replace("[^A-Za-z0-9\_-]", "", $text); return$clean;
}

Thank you,
Josh

2. May 5, 2010

### davee123

I'm not really a PHP guy-- this stuff looks... incorrectly written to me, honestly. I would have expected the contactProcess() routine to return a success or failure, but instead it returns a text message, which means that the caller behaves the same way regardless of success or failure. ... Which, can work, I guess, but is odd.

I would expect that you need to put in an "elsif" clause after the first "if" statement. So, something like this:

Code (Text):

....
$message =$_POST['message'];
$subject =$_POST['subject'];
include_once $_SERVER['DOCUMENT_ROOT'] . '/securimage/securimage.php';$securimage = new Securimage();

if (!$_POST['name'] || !$_POST['email'] || !$_POST['message']) {$msg = "<strong>ERROR: Missing fields. Please fill all required fields and re-submit the form.</strong>";
} elseif ($securimage->check($_POST['captcha_code']) == false) {
$msg = "<strong>ERROR: Incorrect Captcha.</strong>"; } else { .... But if that doesn't work, then instead, JUST try the "include_once" directive. If that doesn't work, then you've got something wrong with your directory structure, and you should check your HTTP error log for problems, and make sure that "securimage.php" is really where it's supposed to be, and that all the subsequent files are similarly properly placed. If adding the "include_once" directive works, then try adding the "new Securimage()" line next. If that doesn't work, you've got a problem with your installation, not sure what. Again, check your HTTP error log for potential error messages that could point you in the right direction. If that part works, then you're probably fine to add in the "elseif" as shown above. But if not, again, check your HTTP error log. It's probably an installation problem with the particular PHP module. ... But THAT's not why I'm actually writing this. THIS is: FIX THIS: Code (Text): if(empty($_SESSION['proName'])) {
$sql = "INSERT INTO tbl_contacts(con_name, con_email, con_phone, con_order, con_subject, con_message, con_date) VALUES('$name', '$emailAddress', '$phoneNumber', '$orderNumber', '$subject', '$message', NOW())"; } else {$sql = "INSERT INTO tbl_contacts(con_name, con_email, con_phone, con_order, con_subject, con_message, con_date, con_des_name) VALUES('$name', '$emailAddress', '$phoneNumber', '$orderNumber', '$subject', '$message', NOW(), '".\$_SESSION['proName']."')";
}
Just for a moment, consider what would happen if some malicious user tried to enter a message text of:

Code (Text):
This is my message';DROP TABLE tbl_contacts;SELECT 'haHA!
Or, which is more often the case, just some text with an apostrophe, which will cause your SQL to fail. Be sure to trap and escape characters which can break your SQL!

DaveE

3. May 5, 2010

### bigdawg723

DaveE... what do I replace that code with... the one where someone could mess with my SQL? I'm sorry... I'm a super noob at this!

Thanks a ton in advance... I cannot afford to have the entire DB crash!

Josh

4. May 5, 2010

### bigdawg723

By the way DaveE... you're the man.. that worked for the CAPTCHA... I copied and pasted that code word for word. Thanks a ton!

Please let me know if you have a suggestion to fix that vulnerability regarding the databases!

Josh

5. May 5, 2010

### davee123

I'm not a real PHP guy, so I don't know the details-- But I looked it up here:

http://en.wikibooks.org/wiki/PHP_Programming/SQL_Injection

So, it looks like you should use "mysql_real_escape_string()" for each parameter, or re-write the query so that it's parameterized (but I don't know if you need a database object for that-- they show some sort of "DB" library, I'm not sure if that's standard or what).

DaveE