blwow
09-04-2007, 03:24 PM
I am trying to get mathguard to work to stop bots from using my form. This is what my form looks like: http://www.newmedia.lincoln.ac.uk/jecgardner/entry/journal.php?id=5
If you refresh the page the maths question changes everytime..
If i fill in all the options except the maths question the comment still submits. The point of having this maths question is so if the user/bot cant figure out the answer then the comment wont submit. Please can someone tell me why the comment still submits?
This form works with 3 pages 1. comments page (journal.php) 2. process.php 3. ClassMathGuard.php - i am trying to link the three... If the user doesnt enter an email with the @ sign then the comment won't submit so this validation works. I just cant get the mathguard to work!?!?!? Please help!
Comment form:
<form method="post" action="../process.php" name="book" >
<p><input type="hidden" name="entry" id="entry" value="<?php echo $id; ?>" />
<input type="hidden" name="timestamp" id="timestamp" value="<?php echo $commenttimestamp; ?>">
<strong><label for="name">Name:</label></strong> <input type="text" name="name" id="name" size="25" /><br />
<strong><label for="email">E-mail:</label></strong> <input type="text" name="email" id="email" size="25" /><br />
<strong><label for="url">URL:</label></strong> <input type="text" name="url" id="url" size="25" value="http://" /><br />
<strong><label for="comment">Comment:</label></strong><br />
<textarea cols="25" rows="5" name="comment" id="comment"></textarea></p>
<? require("ClassMathGuard.php"); MathGuard::insertQuestion(); ?>
<input type='hidden' name='action' value='submit'/>
<p><input type="submit" name="submit_comment" id="submit_comment" value="Add Comment" class="input" onclick="nospam();"/>
</p>
</form>
process.php:
<?
/* first we need to require our MathGuard class */
require ("ClassMathGuard.php");
/* this condition checks the user input. Don't change the condition, just the body within the curly braces */
if (MathGuard :: checkResult($_REQUEST['mathguard_answer'], $_REQUEST['mathguard_code'])) {
echo ("Great !"); //insert your code that will be executed when user enters the correct answer
} else {
echo ("Bad answer, go back to school !"); //insert your code which tells the user he is spamming your website
die();
}
?>
<?php
if (isset($_POST['submit_comment'])) {
if (empty($_POST['name']) || empty($_POST['email']) || empty($_POST['comment'])) {
die("You have forgotten to fill in one of the required fields! Please make sure you submit a name, e-mail address and comment.");
}
$entry = htmlspecialchars(strip_tags($_POST['entry']));
$timestamp = htmlspecialchars(strip_tags($_POST['timestamp']));
$name = htmlspecialchars(strip_tags($_POST['name']));
$email = htmlspecialchars(strip_tags($_POST['email']));
$url = htmlspecialchars(strip_tags($_POST['url']));
$comment = htmlspecialchars(strip_tags($_POST['comment']));
$comment = nl2br($comment);
if (!get_magic_quotes_gpc()) {
$name = addslashes($name);
$url = addslashes($url);
$comment = addslashes($comment);
}
if (!eregi("^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) {
die("The e-mail address you submitted does not appear to be valid. Please go back and correct it.");
}
include "connect.php";
@ mysql_connect($server, $connect, $pass) or die(__LINE__. mysql_error());
@ mysql_select_db($database) or die(__LINE__. mysql_error());
$result = mysql_query("INSERT INTO php_blog_comments (entry, timestamp, name, email, url, comment) VALUES ('$entry','$timestamp','$name','$email','$url','$comment')");
header("Location: entry/journal.php?id=" . $entry);
}
else {
die("Error: you cannot access this page directly.");
}
?>
ClassMathGuard.php:
<?
class MathGuard {
/** A main hashing function: concat of user's answer, hour and the additional prime number (default 37) */
function encode($input, $prime) {
return md5($input.date("H").$prime);
}
/** This function generates the hash code from the two numbers
* @param $a first number
* @param $b second sumber
* @param $prime additional number to encode with
* */
function generateCode($a, $b, $prime) {
$code = MathGuard::encode($a + $b, $prime);
return $code;
}
/** This function checks whether the answer and generated security code match
* @param $mathguard_answer answer the user has entered
* @param $mathguard_code hashcode the mathguard has generated
*/
function checkResult($mathguard_answer, $mathguard_code, $prime = 37) {
// echo("prime; $prime, $mathguard_answer");
$result_encoded = MathGuard::encode($mathguard_answer, $prime);
if ($result_encoded == $mathguard_code)
return true;
else
return false;
}
/** this function inserts the two math term into your form, the parameter is optional */
function insertQuestion($prime = 37) { //default prime is 37, you can change it when specifying the different parameter
$a = rand() % 10; // generates the random number
$b = rand() % 10; // generates the random number
$code = MathGuard :: generateCode($a, $b, $prime);
echo ("<a href='http://www.codegravity.com/projects/mathguard'>MathGuard</a> security question: $a + $b =
<input type='input' name='mathguard_answer' size='2'/><input type='hidden' name='mathguard_code' value='$code' />");
}
/** this function returns math expression into your form, the parameter is optional
* quite simmilar to insertQuestion, but returns the output as a text instead of echoing
*/
function returnQuestion($prime = 37) { //default prime is 37, you can change it when specifying the different parameter
$a = rand() % 10; // generates the random number
$b = rand() % 10; // generates the random number
$code = MathGuard :: generateCode($a, $b, $prime);
return ("<a href='http://www.codegravity.com/projects/mathguard'>MathGuard</a> security question: $a + $b =
<input type='input' name='mathguard_answer' size='2'/><input type='hidden' name='mathguard_code' value='$code' />");
}
}
?>
If you refresh the page the maths question changes everytime..
If i fill in all the options except the maths question the comment still submits. The point of having this maths question is so if the user/bot cant figure out the answer then the comment wont submit. Please can someone tell me why the comment still submits?
This form works with 3 pages 1. comments page (journal.php) 2. process.php 3. ClassMathGuard.php - i am trying to link the three... If the user doesnt enter an email with the @ sign then the comment won't submit so this validation works. I just cant get the mathguard to work!?!?!? Please help!
Comment form:
<form method="post" action="../process.php" name="book" >
<p><input type="hidden" name="entry" id="entry" value="<?php echo $id; ?>" />
<input type="hidden" name="timestamp" id="timestamp" value="<?php echo $commenttimestamp; ?>">
<strong><label for="name">Name:</label></strong> <input type="text" name="name" id="name" size="25" /><br />
<strong><label for="email">E-mail:</label></strong> <input type="text" name="email" id="email" size="25" /><br />
<strong><label for="url">URL:</label></strong> <input type="text" name="url" id="url" size="25" value="http://" /><br />
<strong><label for="comment">Comment:</label></strong><br />
<textarea cols="25" rows="5" name="comment" id="comment"></textarea></p>
<? require("ClassMathGuard.php"); MathGuard::insertQuestion(); ?>
<input type='hidden' name='action' value='submit'/>
<p><input type="submit" name="submit_comment" id="submit_comment" value="Add Comment" class="input" onclick="nospam();"/>
</p>
</form>
process.php:
<?
/* first we need to require our MathGuard class */
require ("ClassMathGuard.php");
/* this condition checks the user input. Don't change the condition, just the body within the curly braces */
if (MathGuard :: checkResult($_REQUEST['mathguard_answer'], $_REQUEST['mathguard_code'])) {
echo ("Great !"); //insert your code that will be executed when user enters the correct answer
} else {
echo ("Bad answer, go back to school !"); //insert your code which tells the user he is spamming your website
die();
}
?>
<?php
if (isset($_POST['submit_comment'])) {
if (empty($_POST['name']) || empty($_POST['email']) || empty($_POST['comment'])) {
die("You have forgotten to fill in one of the required fields! Please make sure you submit a name, e-mail address and comment.");
}
$entry = htmlspecialchars(strip_tags($_POST['entry']));
$timestamp = htmlspecialchars(strip_tags($_POST['timestamp']));
$name = htmlspecialchars(strip_tags($_POST['name']));
$email = htmlspecialchars(strip_tags($_POST['email']));
$url = htmlspecialchars(strip_tags($_POST['url']));
$comment = htmlspecialchars(strip_tags($_POST['comment']));
$comment = nl2br($comment);
if (!get_magic_quotes_gpc()) {
$name = addslashes($name);
$url = addslashes($url);
$comment = addslashes($comment);
}
if (!eregi("^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) {
die("The e-mail address you submitted does not appear to be valid. Please go back and correct it.");
}
include "connect.php";
@ mysql_connect($server, $connect, $pass) or die(__LINE__. mysql_error());
@ mysql_select_db($database) or die(__LINE__. mysql_error());
$result = mysql_query("INSERT INTO php_blog_comments (entry, timestamp, name, email, url, comment) VALUES ('$entry','$timestamp','$name','$email','$url','$comment')");
header("Location: entry/journal.php?id=" . $entry);
}
else {
die("Error: you cannot access this page directly.");
}
?>
ClassMathGuard.php:
<?
class MathGuard {
/** A main hashing function: concat of user's answer, hour and the additional prime number (default 37) */
function encode($input, $prime) {
return md5($input.date("H").$prime);
}
/** This function generates the hash code from the two numbers
* @param $a first number
* @param $b second sumber
* @param $prime additional number to encode with
* */
function generateCode($a, $b, $prime) {
$code = MathGuard::encode($a + $b, $prime);
return $code;
}
/** This function checks whether the answer and generated security code match
* @param $mathguard_answer answer the user has entered
* @param $mathguard_code hashcode the mathguard has generated
*/
function checkResult($mathguard_answer, $mathguard_code, $prime = 37) {
// echo("prime; $prime, $mathguard_answer");
$result_encoded = MathGuard::encode($mathguard_answer, $prime);
if ($result_encoded == $mathguard_code)
return true;
else
return false;
}
/** this function inserts the two math term into your form, the parameter is optional */
function insertQuestion($prime = 37) { //default prime is 37, you can change it when specifying the different parameter
$a = rand() % 10; // generates the random number
$b = rand() % 10; // generates the random number
$code = MathGuard :: generateCode($a, $b, $prime);
echo ("<a href='http://www.codegravity.com/projects/mathguard'>MathGuard</a> security question: $a + $b =
<input type='input' name='mathguard_answer' size='2'/><input type='hidden' name='mathguard_code' value='$code' />");
}
/** this function returns math expression into your form, the parameter is optional
* quite simmilar to insertQuestion, but returns the output as a text instead of echoing
*/
function returnQuestion($prime = 37) { //default prime is 37, you can change it when specifying the different parameter
$a = rand() % 10; // generates the random number
$b = rand() % 10; // generates the random number
$code = MathGuard :: generateCode($a, $b, $prime);
return ("<a href='http://www.codegravity.com/projects/mathguard'>MathGuard</a> security question: $a + $b =
<input type='input' name='mathguard_answer' size='2'/><input type='hidden' name='mathguard_code' value='$code' />");
}
}
?>