No matter what I type in (even the correct captcha), I always get missmatched output. I've tried echoing the values (they are supposed to match if you type in the right code). and I always get something like this:
6952304285049
-1247767175
- I am using jquery-1.10.2.min.js (and have this linked in my header along with the realperson.js file) /SignUp.php
Here's my code (im doing some other validating as well):
<?php
include 'Header.php';
include 'Database.php';
?>
<script type="text/javascript">
$(function() {
$('#defaultReal').realperson();
});
</script>
<h1>Sign Up</h1>
<?php
if ($_POST){
$username = $_POST['username'];
$password = $_POST['password'];
$check = '';
//validate CAPTCHA
function rpHash($value) {
$hash = 5381;
$value = strtoupper($value);
for($i = 0; $i < strlen($value); $i++) {
$hash = (($hash << 5) + $hash) + ord(substr($value, $i));
}
return $hash;
}
if (rpHash($_POST['defaultReal']) == $_POST['defaultRealHash']) { ?>
<p class="accepted">You have entered the "real person" value correctly and the form has been processed.</p>
<?php
//if username is not blank
if($username != ''){
//check if username exists already
$query = "SELECT username FROM tbl_user;";
$result = mysql_query($query) or die(mysql_error());
while ($record = mysql_fetch_row($result))
{
foreach($record as $field)
{
if($field == $username){
//if user exists, dont let them add same user
$error_message_username = 'username already used; choose a unique name';
}
else{
$check = 'pass';
}
}
}
}else{
$error_message_username = 'username cannot be blank';
}
//if password is not blank
if($password != ''){
$error_message_password = '';
// encrypt password
$encrypted_password = md5($password);
if($check == 'pass'){
//set username and password into database
$query = "INSERT INTO tbl_user VALUES('','".$username."','".$encrypted_password."');";
$result = mysql_query($query) or die(mysql_error());
}
}else{
$error_message_password = 'password cannot be blank';
}
} else { ?>
<p class="rejected">You have NOT entered the CAPTCHA value correctly and the form has been rejected.</p>
<?php
echo rpHash($_POST['defaultReal']) . '<br/>';
echo $_POST['defaultRealHash'];
}
}
?>
<form method="post" action="SignUp.php">
<p>
E-Mail:
<input type="text" class="required email" id="username" name="username">
<?php
if ( $error_message_username != '' ) {
print "$error_message_username";
}
?>
</p>
<p>
Password:
<input type="text" name="password">
<?php
if ( $error_message_password != '' ) {
print "$error_message_password";
}
?>
</p>
<p>
CAPTCHA:
<input type="text" id="defaultReal" name="defaultReal">
</p>
<p>
<button class="mybutton" type="submit" value="Sign Up">Sign Up</button>
</p>
</form>
No matter what I type in (even the correct captcha), I always get missmatched output. I've tried echoing the values (they are supposed to match if you type in the right code). and I always get something like this:
6952304285049
-1247767175
- I am using jquery-1.10.2.min.js (and have this linked in my header along with the realperson.js file) http://gfishdesigns./COMP2920/_COMPLETED/Assignment%202/SignUp.php
Here's my code (im doing some other validating as well):
<?php
include 'Header.php';
include 'Database.php';
?>
<script type="text/javascript">
$(function() {
$('#defaultReal').realperson();
});
</script>
<h1>Sign Up</h1>
<?php
if ($_POST){
$username = $_POST['username'];
$password = $_POST['password'];
$check = '';
//validate CAPTCHA
function rpHash($value) {
$hash = 5381;
$value = strtoupper($value);
for($i = 0; $i < strlen($value); $i++) {
$hash = (($hash << 5) + $hash) + ord(substr($value, $i));
}
return $hash;
}
if (rpHash($_POST['defaultReal']) == $_POST['defaultRealHash']) { ?>
<p class="accepted">You have entered the "real person" value correctly and the form has been processed.</p>
<?php
//if username is not blank
if($username != ''){
//check if username exists already
$query = "SELECT username FROM tbl_user;";
$result = mysql_query($query) or die(mysql_error());
while ($record = mysql_fetch_row($result))
{
foreach($record as $field)
{
if($field == $username){
//if user exists, dont let them add same user
$error_message_username = 'username already used; choose a unique name';
}
else{
$check = 'pass';
}
}
}
}else{
$error_message_username = 'username cannot be blank';
}
//if password is not blank
if($password != ''){
$error_message_password = '';
// encrypt password
$encrypted_password = md5($password);
if($check == 'pass'){
//set username and password into database
$query = "INSERT INTO tbl_user VALUES('','".$username."','".$encrypted_password."');";
$result = mysql_query($query) or die(mysql_error());
}
}else{
$error_message_password = 'password cannot be blank';
}
} else { ?>
<p class="rejected">You have NOT entered the CAPTCHA value correctly and the form has been rejected.</p>
<?php
echo rpHash($_POST['defaultReal']) . '<br/>';
echo $_POST['defaultRealHash'];
}
}
?>
<form method="post" action="SignUp.php">
<p>
E-Mail:
<input type="text" class="required email" id="username" name="username">
<?php
if ( $error_message_username != '' ) {
print "$error_message_username";
}
?>
</p>
<p>
Password:
<input type="text" name="password">
<?php
if ( $error_message_password != '' ) {
print "$error_message_password";
}
?>
</p>
<p>
CAPTCHA:
<input type="text" id="defaultReal" name="defaultReal">
</p>
<p>
<button class="mybutton" type="submit" value="Sign Up">Sign Up</button>
</p>
</form>
-
mysql_is deprecated. Better usemysqli_or PDO. Also, you are susceptible to trivial SQL injection attacks. Pray someone's username isn't'); DROP database --. Using prepared statements (not supported bymysql_) will solve that. Also, detecting if an entry in a database exists by fetching all and looping through them is kinda stupid (slow) (and susceptible to race conditions). Better let the database do it via unique constraints (prechecks are fine but not sufficient) – John Dvorak Commented Nov 16, 2013 at 8:36 - where do you get the captcha value from the user needs to re-type? AFAIK this has to be stored in to the session first to be validated - that's how the most captcha libs work? – Axel Amthor Commented Nov 16, 2013 at 9:29
- I'm sure the way I'm doing it is stupid/slow, as this is for a homework assignment in a PHP class, so I'm still learning how to do this stuff. As far as I can see from the working example in the .html file I downloaded for realperson.js, there is no session involved. Does it not grab the person's captcha entry via this? $_POST['defaultRealHash'] – KVDD Commented Nov 18, 2013 at 18:06
- I might actually have the defaultReal, and defaultRealHash backwards. Let me switch and let you know if that fixes it... – KVDD Commented Nov 18, 2013 at 18:44
- 1 AH! The rpHash function (php) uses the >> bitwise operator which apparently responds differently on 32-bit and 64-bit machines. So, use the other php functions provided on the site under 64-bit php. I haven't investigated this thoroughly, but it worked on my demo server (Mac) and production server (Cent-OS) PHP 5.4.x x86_64 – Craig Jacobs Commented Apr 17, 2014 at 21:30
2 Answers
Reset to default 4Well said Craig Jacobs, it is the same problem which you pointed out. I also faced the same thing and solved by making changes shown below:
function rpHash($value) {
$hash = 5381;
$value = strtoupper($value);
for($i = 0; $i < strlen($value); $i++) {
$hash = (leftShift32($hash, 5) + $hash) + ord(substr($value, $i));
}
return $hash; }
function leftShift32($number, $steps) {
$binary = decbin($number);
$binary = str_pad($binary, 32, "0", STR_PAD_LEFT);
$binary = $binary.str_repeat("0", $steps);
$binary = substr($binary, strlen($binary) - 32);
return ($binary{0} == "0" ? bindec($binary) :
-(pow(2, 31) - bindec(substr($binary, 1))));
}
if (isset($_POST['submit'])) {
.....
if (rpHash($_POST['defaultReal']) != $_POST['defaultRealHash']) {
echo "Invalid contact request, please try again with correct verification code...";
exit;
}
.....
.....
}
Hope it will help someone else too.
There are two versions of the php rpHash function provided, one for 32-bit and one for 64-bit PHP. Run phpinfo and make sure you are using the correct version of the function as provided on this page http://keith-wood.name/realPerson.html. The bitwise functions as used here will return different values on 32 and 64 bit machines. See this page: http://www.php/manual/en/language.operators.bitwise.php