Comments
[»]
failure to display
by fatcatair - May 3rd 2008 18:46:34
So I've been trying to add this captcha to some code I'm
using and I'm unable to get it to display the image in my
form. I get the alt text and I can click to go to the image
directly and it displays ok but I never get anything in the
form page. I've read the README for clues but so far
nothing. I've added error_log() debugging code to the code
and when the request comes in for the image the only code
that is exercised is the the test for the invoking of the script
directly.
So out of ideas I put in the following hack as an else after
the test in the aforementioned if.
} else {
if (isset($_SERVER['QUERY_STRING']) && strpos
($_SERVER['QUERY_STRING'], "__ec_i=ec.") === 0 ){
$c = new easy_captcha();
$expired = !$c->is_valid();
if ($expired) {
$type = "image/png";
$bin = easy_captcha_utility::expired_png();
} else {
$type = "image/jpeg";
$bin = $c->image->jpeg();
}
header("Pragma: no-cache");
header("Cache-Control: no-cache, no-store, must-
revalidate, private");
header("Expires: " . gmdate("r", time()));
header("Content-Length: " . strlen($bin));
header("Content-Type: $type");
print $bin;
}
}
and not surprisingly the image shows up in my form. So I
don't understand how on the requests for the image from my
form anything is supposed to happen since prior to this
change as far as I can tell nothing but the API() code put out
a header and the image. Second I don't see how any code
would ever be activated by the REQUEST that asks for the
image since the only "main line" code is that code that tests
for the direct invoke. I'm clearly missing something here
that must be obvious to the author. Any help would be
appreciated. TIA.
BTW I see the following error when I use "whirly" mode.
PHP Notice: Undefined variable: y in .../captcha.php on line
800
which is this line:
if (($x > $this->height) && ($y > $this->height)) {
and $y is undefined at this point.
[reply]
[top]
[»]
Eliminates waves border
by Nahuel Alejandro Ramos - Jun 30th 2007 13:50:56
I have modified the function distort() changing this inside the
"for":
#-- get source pixel, paint dest
if ($single_pixel) {
// single source dot: one-to-one duplicate (unsmooth, hard edges)
if ( ((int)$dx+$x > 0) && ((int)$dy+$y > 0) &&
((int)$dx+$x < $width) && ((int)$dy+$y < $height) ) {
imagesetpixel($dest, $x, $y, @imagecolorat($i, (int)$dx+$x,
(int)$dy+$y));
} else {
imagesetpixel($dest, $x, $y, $this->inverse ? $this->bg ^
0xFFFFFF : $this->bg);
};
}
//-------------------------------------
This eliminates borders when I use the Wave function.
Thanks for that excelent and free script.
[reply]
[top]
[»]
Re: Eliminates waves border
by milky - Jun 30th 2007 15:47:26
Thank you very much for sharing this fix! The next release will include it
;)
[Totally forgot about this, because I've tested with the black/inverse
version only.]
[reply]
[top]
[»]
yes, this class is not secure.
by alicia - May 22nd 2007 10:40:37
yes, this class is not secure. :(
I have also found many other free php captcha scripts, but most have a
problem of some kind... I think the solution is either writing your own
captcha php script or use something professional ( ex. www.captchacreator.com )
Alicia
[reply]
[top]
[»]
Re: yes, this class is not secure.
by milky - Jun 29th 2007 15:03:55
I very much doubt that linkspamming under fake names and abusive
conjectures get you any customers.
[reply]
[top]
[»]
nice project
by Steffen Wendzel - Dec 3rd 2006 08:12:09
I realy like this project because it is so damn easy to use and I need no
database or such things. Kepp hacking!
--steffen
[reply]
[top]
[»]
header bug
by hosseini - Sep 10th 2006 13:05:03
this class just work on IE,and dont work on firefox
--
Regards.
hosseini
[reply]
[top]
[»]
Security hole
by Paul Brennan - Oct 7th 2005 13:38:32
There is a serious security hole in this class!!!
It is possible to retrieve the passwd file by using
http://domain.tld/captcha.php?_tcf=../../../../../../etc/passwd
You could do with using basename() around POST/GET variables before
using them.
Regards
Paul Brennan
[reply]
[top]
[»]
Re: Security hole
by sebastian - Jun 8th 2006 15:00:28
> There is a serious security hole in this
> class!!!
>
> It is possible to retrieve the passwd
> file by using
> http://domain.tld/captcha.php?_tcf=../../../../../../etc/passwd
>
> You could do with using basename()
> around POST/GET variables before
> using them.
>
> Regards
> Paul Brennan
the passwords in the file /etc/passwd is irreversibly encrypted (hashed)
so thats not the problem. The problem is that he can access ANY file on
system, even cleartext config files which may contain password in
unencrypted form.
[reply]
[top]
[»]
Re: Security hole
by milky - Jun 29th 2007 14:54:58
There has never been such a "security hole", because the _tcf= parameter
(in version 0.9 only) has been filtered by:
if (preg_match('/^\w+$/', $id) && file_exists(...
Which also works more reliable than basename(), since it doesn't let
special characters or even dots through.
------------
Even though this was a false alarm here, it's a very good practice to do
at least such a surface security check in new scripts. So, no offence, and
many thanks for voicing concerns and providing feedback here!
[reply]
[top]
|
