Re:Having trouble integrating both my Captcha and my Php Code

Question

Am having trouble integrating both my Registration Form which is in Php together with Captcha. I have tried integrating them together with my very limited coding knowledge, but when one enters the wrong verification code, it indicates so "INCORRECT CAPTCHA", but unfortuantely it also enters the user on my Mysql Db, without first validating the captcha.

All the relevant code is as shown below, Kindly assist, Thank You!

1.Registration.php



    <div class="form-title">Sign Up</div>
    <div class="form-sub-title">It's free and anyone can join</div>

        <form method="post" action="check.php" enctype="multipart/form-data">

        <table width="864" align="center" cellpadding = "15">



            <tr>
                <td>FirstName:</td>
                <td><input type="text" name="FirstName" maxlength="10" required="" ></td>
              .....................................................................................................................................................................................................

         <td>&nbsp;</td>

</td>
  </tr> </td>
  <td>
 <?php
session_start();
echo '<form action="check.php" method="post">';
$rand_int1 = substr(mt_rand(),0,2);
$rand_int2 = substr(mt_rand(),0,1);
$rand_int3 = substr(mt_rand(),0,1);
$captcha_answer = $rand_int1 + $rand_int2 - $rand_int3;
$_SESSION['captcha_answer'] = $captcha_answer;
echo 'What is '.$rand_int1.' + '.$rand_int2.' - '.$rand_int3.'?<br>
<input type="text" name="captcha">
<td><input type="submit" value="Submit" name="registration" class="greenButton"/><img id="loading" src="img/ajax-loader.gif" alt="working.." /></td>
</form>';
?>
</td>
</tr>



 2. Check.php


   <?php
session_start();
$captcha = $_POST['captcha'];
$captcha_answer = $_SESSION['captcha_answer'];

if($captcha != $captcha_answer) {
    echo 'Captcha is incorrect!';
}
else {
    echo 'Captcha is correct, congratulations! :)';
}
?>




<?php



if(isset($_POST['registration']))
{
    require "connection.php";
    $FirstName = strip_tags($_POST['FirstName']);
    $LastName = strip_tags($_POST['LastName']);
    $Msisdn = $_POST['Msisdn'];

    $month = $_POST['month'];
    $day = $_POST['day'];
    $year = $_POST['year'];

    $date = $year . "-" . $month . "-" . $day;
    $dob = date('y-m-d', strtotime($date));




$Gender = $_POST['Gender'];
$Faith = $_POST['Faith'];
$City = $_POST['City'];
$MarritalStatus = $_POST['MarritalStatus'];
$Profession =$_POST['Profession'];
$Country = $_POST['Country'];








$query="insert into users set FirstName='".$FirstName."',LastName='".$LastName
        ."',Msisdn='".$Msisdn."',dob='".$dob."',Gender='".$Gender."',Faith='".$Faith."',City='".$City."',MarritalStatus='".$MarritalStatus."',Profession='".$Profession."',Country='".$Country."'";


mysql_query($query)or  die("".mysql_error());   



    echo "Successful Registration!";



        }
?>     

Answer 1

A captcha should be preventing a bot successfully submitting a form. x1 + x2 - x3 is just too easy for any automated form submitting.

To solve your task, in the if clause if(isset($_POST['registration'])) you also need to check the success of the captcha, change it to:

if (isset($_POST['registration']) && $captcha === $captcha_answer)

You should also not be using mysql_ functions as they will soon be turned of in newer PHP versions.

Your code also looks like to be a nice target for hackers (SQL Injection). You should validate the $_POST variables, not just put them into a simple query.

Like I enter ';DROP TABLE users;-- into First name.

Answer 2

The code here does not check if capcha was successfull. To do that change

if(isset($_POST['registration']))

to

if(isset($_POST['registration']) && $captcha == $captcha_answer)