机器人如何规避我的验证码?
[英]How is my captcha being circumvented by a bot?
问题描述
Here's my script to check for filled in fields: 
这是检查填充字段的脚本:
foreach($_POST as $key => $value){
//required fields
if(in_array($key, $required_fields) && empty($value) && $all_required_filled){
$error_message .= "<li>Not all required fields were filled out</li>";
$valid = false;
$all_required_filled = false;
}
//valid email address
if($key == 'email'){
if (!filter_var($value, FILTER_VALIDATE_EMAIL)) {
$error_message .= "<li>Invalid email format</li>";
$valid = false;
}
}
//captcha is valid
if($key == "captcha"){
if((int)$value !== (int)$_SESSION['veriword']){
$error_message .= "<li>The captcha was incorrect</li>";
$valid = false;
}
else{
$message .= "User entered {$value}. Correct answer was {$_SESSION['veriword']}";
}
continue;
}
}
Basically, if the captcha form field matches the session variable that the captcha plugin sets, the script prints a line in the the email that lists what the user entered, and the correct value. 基本上,如果验证码表单字段与验证码插件设置的会话变量匹配,则脚本会在电子邮件中打印一行,列出用户输入的内容以及正确的值。
When I fill out the captcha incorrectly, I can't send the form through, and get stuck on the page with an error message. 如果我错误地填写了验证码,我将无法发送表格,并在页面上显示一条错误消息。 Somehow, though, a spam bot is sending out the form successfully, without the line listing the form field and captcha values. 不过,垃圾邮件漫游器以某种方式成功发送了表单,但没有列出表单字段和验证码值的行。 So it's completely getting around the "if" statement, somehow? 因此,它完全绕开了“ if”语句,以某种方式? I'm not sure what's going on... 我不确定发生了什么...
1 个解决方案
解决方案1
2 已采纳 2017-05-08 23:49:04
Instead of looping over $_POST , check the the required inputs explicitly: 无需遍历$_POST ,而是显式检查所需的输入:
if (isset($_POST['captcha'])) {
if (intval($_POST['captcha']) !== $_SESSION['veriword']) {
$error_message .= "<li>The captcha was incorrect</li>";
$valid = false;
}
} else {
$error_message .= "<li>The captcha was not submitted</li>";
$valid = false;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.