Hi,
I would like the following comments to be read as a positive feedback, rather than an attempt to knock the hard work that has gone in to maintaining the dew-newphplinks code. As evidence that I am not here to simply "knock" and complain, I have attempted to put together some replacement code to allow reCAPTCHA (www.recaptcha.net) to be implemented as a replacement for the current CAPTCHA included with the recent version of dew-newphplinks.
Current CAPTCHA problems:
1. Unless I am mistaken, there are only 16 actual CAPTCHA images stored in the database, giving a spambot a 1 in 16 chance of guessing the correct code without even attempting to OCR the image.
2. Again, if I am not mistaken, the forms for add site and add review contain a checksum value (chksum) based on the capture. With only 16 images (and the code being publically available) it is possible for a spambot to store chksum values alongside the actual code (e.g. NCKDG checksum = 3ab1688b867b3c9c6998f9d00444a0cc) and there is no need for any additional work.
Solution:
1. reCAPTCHA - I suggest this as it provides a good level of security (I understand it has its own blocklists for known spam sources) and is growing 'familiarity' for web surfers as it is implemented on various sites and has plugins for various packages. I have successfully implemented it on multiple MediaWiki installations and a PHPBB3 forum.
Below I have included "my" code (actually taken from the reCAPTCHA example-captcha.php, so could be jazzed up a little). I understand that it is beyond the scope of dew-newphplinks to pre-package this, as it means it will not run "out of the box" without the admin getting a public/private keypair from the reCAPTCHA project. However, I do suggest that this code is developed and added as an official "plugin" option.
2. There must be an open source "draw on the fly" CAPTCHA package that could be added in place of the current CAPTCHA?
3. At least, at least hash the chksum value with some kind of 'salt' (perhaps current PHP Session ID, or even something static like the site name admins email address, which would at least make the MD5 chksum different on each installation across the web).
Cheers,
Graeme
******************************
*** reCAPTCHA installation ***
******************************
0. Make backup copies of add.php and review_add.php
1. download reCAPTCHA library and apply for reCAPTCHA keys for your domain (it is free)
2. copy recaptchalib.php to dir: 'include'
3. config.php - delete: $tb_captcha = 'phplinks_captcha';
3. MYSQL - delete table: 'phplinks_captcha'
4. add.php
require_once('recaptchalib.php'
;
// Get a key from
http://recaptcha.net/api/getkey
$publickey = "";
$privatekey = "";
# the response from reCAPTCHA
$resp = null;
# the error code from reCAPTCHA, if any
$error = null;
5. add.php
find:
$cap = md5(strtoupper($_POST['capinput']));
replace with:
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
6. add.php
find:
if ($_POST['chksum'] != $cap){
$error = 1;
$err.= 'The validation code you entered does not appear to be correct.<BR>';
}
replace with:
if ($resp->is_valid) {
# do nothing
}
else {
# set the error code so that we can display it
$err.= $resp->error . '<br />';
}
7. add.php
find:
$capquery = "SELECT * FROM $tb_captcha order by RAND() LIMIT 1";
$capsql = mysql_query("$capquery"
or die("Invalid query: " . mysql_error());
$picrow = mysql_fetch_object($capsql);
$htmlsrc .= '<img align=top src="./include/captcha.php?x='.$picrow->ID.'"> ';
$htmlsrc .= '<input type=hidden name=chksum value="'.md5(strtoupper($picrow->checksum)).'">';
$htmlsrc .= '<input length=5 size=5 type=text name=capinput>';
replace with:
$htmlsrc .= recaptcha_get_html($publickey, $error);
8. review_add.php
add:
require_once('recaptchalib.php'
;
// Get a key from
http://recaptcha.net/api/getkey
$publickey = "";
$privatekey = "";
# the response from reCAPTCHA
$resp = null;
# the error code from reCAPTCHA, if any
$error = null;
8. review_add.php
find:
$capinput = md5(strtoupper($_POST['capinput']));
$charcount = (strlen($_POST['chksum']) -1);
$cap = substr($_POST['chksum'], 0, $charcount);
if ($capinput != $cap){
$error = 1;
$caperr.= 'The validation code you entered does not appear to be correct.<BR>';
}
replace with:
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if ($resp->is_valid) {
# do nothing
}
else {
# set the error code so that we can display it
$err.= $resp->error . '<br />';
}
8. review_add.php
find & delete:
$capquery = "SELECT * FROM $tb_captcha order by RAND() LIMIT 1";
$capsql = mysql_query("$capquery"
or die("Invalid query: " . mysql_error());
$picrow = mysql_fetch_object($capsql);
find:
$html .= '<img align=top src="./include/captcha.php?x='.$picrow->ID.'"> ';
$html .= '<input type=hidden name=chksum value="'.md5(strtoupper($picrow->checksum)).$picrow->ID.'">';
$html .= '<input length=5 size=5 type=text name=capinput>';
replace with:
$htmlsrc .= recaptcha_get_html($publickey, $error);
Favoured: 0
