使用会话存储针对PHP联系人表格的反垃圾邮件查询的答案

Question

I need help with a contact form for my website. I'll begin by explaining how my form is set up. My website has a single page ( index.php ) with three sections. The last one is "Contact Us" and it has a form where users are supposed to input their name, email address and a message.

My contact form worked ok, but it needed some security against spam bots. So I decided to add a simple anti-spam question, eg, "2 + 2." I wanted this question to be different each time and that's what's giving me problems. I'd really appreciate if you could point me in the right direction to solve this!

Here's the code I'm using. I'll explain it below.

<a name="contact"><h2>Contact Us</h2></a>
<?php
$operation = mt_rand(0, 2);
switch ($operation) {
    case 0:
        $r1    = mt_rand(0, 50);
        $r2    = mt_rand(0, 50);
        $r3    = $r1 + $r2;
        $query = "How much is $r1 + $r2?";
        break;
    case 1:
        $r1 = mt_rand(0, 50);
        do {
            $r2 = mt_rand(0, 50);
        } while ($r2 >= $r1);
        $r3        = $r1 - $r2;
        $query = "How much is $r1 - $r2?";
        break;
    case 2:
        $r1    = mt_rand(0, 10);
        $r2    = mt_rand(0, 10);
        $r3    = $r1 * $r2;
        $query = "How much is $r1 × $r2?";
        break;
}
if (isset($_POST["name"]) && isset($_POST["email"]) && isset($_POST["human"]) && isset($_POST["message"])) {
    $name    = spam_check('name');
    $from    = spam_check('email');
    $subject = empty($_POST['subject']) ? "Contact Form Message" : spam_check('subject');
    $human   = spam_check('human');
    $message = "<!DOCTYPE HTML><html><body><p>";
    $message .= "<strong>Name:</strong> " . $name . "<br>";
    $message .= "<strong>Email:</strong> <a href=\"mailto:" . $from . "\">" . $from . "</a></p>";
    $message .= "<p><strong>Message:</strong><br>" . spam_check('message') . "</p>";
    $message .= "</body></html>";
    $to      = "hello@example.com";
    $headers = "From: Me<hello@example.com>\nReply-To:" . $name . "<" . $from . ">\n";
    $headers .= "Mime-Version: 1.0\n";
    $headers .= "Content-Type: text/html; charset=UTF-8";
    if ($_POST['submit']) {
        if (!strcmp($human, $_SESSION['human'])) {
            if (mail($to, $subject, $message, $headers)) {
                echo "<p class=\"success\">Thanks for contacting us.</p>";
            } else {
                echo "<p class=\"failure\">Something went wrong, please try again!</p>";
            }
            unset($_SESSION['query']);
            unset($_SESSION['human']);
        } else {
            echo "<p class=\"warning\">You did not answer our anti-spam question. Do you need <a href=\"http://www.google.com/search?q=" . urlencode($_SESSION['query']) . "&amp;hl=en\">help</a>?</p>";
        }
    } else {
        echo "<p class=\"failure\">Something went wrong, please try again!</p>";
    }
}
if (!isset($_SESSION['human'])) {
    $_SESSION['query'] = $query;
    $_SESSION['human'] = "$r3";
} ?>
<form action="#contact" method="post">
    <input type="text" name="name" placeholder="Name" title="Name" required>
    <input type="email" name="email" placeholder="Email" title="Email" required>
    <input type="text" name="subject" placeholder="Subject" title="Subject">
    <input type="text" name="human" placeholder="<?php echo $query; ?>" title="<?php echo $query; ?>" required>
    <textarea name="message" placeholder="Write your message here&hellip;" title="Message" rows="10" cols="40" required></textarea>
    <input type="submit" name="submit" value="Send">
</form>

Here's the explanation of what I'm trying to achieve with the code above: first I generate one random number to decide if the question's going to be an addition, a subtraction or a multiplication. If I get:

• 0 , I generate two random numbers below 50 and add them.
• 1 , I generate two random numbers below 50 and subtract them (note: second number must not be greater than the first one to prevent negative results).
• 2 , I generate two random numbers below 10 and multiply them.

The question's result is stored in $r3 and the question itself is stored in $query .

Next, I check if the user has submitted the form. If they have, I extract their input using a function named spam_check . spam_check is supposed to stop header injection. It seems to work, although I haven't tested it thoroughly. Once I have extracted the values of each field, I start to construct the email's body and the headers. This works too. Hold on we're about to get to the problem.

The next step is to check if the user's answer to the anti-spam question ( $human ) matches the value of $r3 . This is the part that I can't get to work. I used to have a simple check: $human == $r3 , but I soon realized it wasn't going to work because once you submit the form, the page reloads and $r3 becomes a new number. So I decided that maybe sessions were the way to go out.

In the last lines, the value of $r3 is stored in $_SESSION['human'] if $_SESSION['human'] is unset (eg, the first time the page is loaded). To determine if the user answered correctly I use !strcmp($human, $_SESSION['human']) , but it doesn't work because $_SESSION['human'] does not store the value!

It looks like once you submit the form, the session is somehow lost and the stored values are reset. How can I store and preserve $r3 's value?

I've already checked if sessions are enabled in my server and I've also found the temporary session files (eg, query|s:20:"How much is 19 - 12?";human|s:1:"7"; ), so I don't where else to look for solutions.

Answer 1

You probably need to run

session_start();

in the beginning of your code. See http://www.php.net/session_start for more info. Notice that you should put session_start() before any other output to the browser.