PHP Capcha has been hacked/abused by spammers

✨ Samsung | AliExpress | Wise | Sharesies | GoodSync | Free white papers

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › IT Pro and developers › PHP Capcha has been hacked/abused by spammers

mattwnz

20154 posts

Uber Geek

#94952 22-Dec-2011 23:09

Send private message

I am using the following capcha script attach to a contact form on a few websites, but noticed that one of them has been having spam injected into it, even though it has a capcha on it. It's getting spammed about 20 times a day. http://www.thewebhelp.com/php/scripts/php-contact-form-with-image-validation/

Now there is either a hole in the script, such as sessions not being wiped after the form is submitted, or the spammer is using OCR software to overcome the capcha, or possibily something else. Anyone know if there is anything that can be added to make this more secure?

Oblivian

7297 posts

Uber Geek

ID Verified

#560851 23-Dec-2011 00:05

Send private message

This is the reason PHPBB and vBulletin are abused so much. Captchas just don't cut the mustard anymore.

Re-code it for human interaction (please type 'x' in the box provided for verification) along with it. Seems to work for forums :)

http://en.wikipedia.org/wiki/CAPTCHA shows a few methods they are using to circumvent them, and recommends a PHP adjustment to kill session IDs.

mattwnz

20154 posts

Uber Geek

#560852 23-Dec-2011 00:22

Send private message

Oblivian: This is the reason PHPBB and vBulletin are abused so much. Captchas just don't cut the mustard anymore.

Re-code it for human interaction (please type 'x' in the box provided for verification) along with it. Seems to work for forums :)

http://en.wikipedia.org/wiki/CAPTCHA shows a few methods they are using to circumvent them, and recommends a PHP adjustment to kill session IDs.

Thanks, I had been using it for about 5 years, and it has only just now begun to happen. I was looking at a script which asks the user to enter the sum of two numbers, as a replacement, at http://www.codegravity.com/projects/mathguard which looks quite good.

I did read that bit on wikipedia about killing session IDs, but have no idea where to add the code into it. The code does delete the cookies, but I suspect that it doesn't kill the sessions.

02.// -----------------------------------------
03.// The Web Help .com
04.// -----------------------------------------
05.// remember to replace you@email.com with your own email address lower in this code.
06.
07.// load the variables form address bar
08.$subject = $_POST["subject"];
09.$message = $_POST["message"];
10.$from = $_POST["from"];
11.$verif_box = $_POST["verif_box"];
12.
13.// remove the backslashes that normally appears when entering " or '
14.$message = stripslashes($message);
15.$subject = stripslashes($subject);
16.$from = stripslashes($from);
17.
18.// check to see if verificaton code was correct
19.if(md5($verif_box).'a4xn' == $_COOKIE['tntcon']){
20.// if verification code was correct send the message and show this page
21.mail("you@email.com", 'TheWebHelp.com Form: '.$subject, $_SERVER['REMOTE_ADDR']."\n\n".$message, "From: $from");
22.// delete the cookie so it cannot sent again by refreshing this page
23.setcookie('tntcon','');
24.} else if(isset($message) and $message!=""){
25.// if verification code was incorrect then return to contact page and show error
26.header("Location:".$_SERVER['HTTP_REFERER']."?subject=$subject&from=$from&message=$message&wrong_code=true");
27.exit;
28.} else {
29.echo "no variables received, this page cannot be accessed directly";
30.exit;
31.}

News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

RSS feeds: Main feed; Forums feed
Copyright: ©2002-2025 Geekzone®

Site features: Geekzone BI dashboard; Geekzone Badges; Geekzone Status Page

Affiliate links: Samsung; AliExpress; Wise; Sharesies; GoodSync

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright