我的验证码是如何被机器人规避的?
How is my captcha being circumvented by a bot?
这是我用来检查填写的字段的脚本:
foreach($_POST as $key => $value){
//required fields
if(in_array($key, $required_fields) && empty($value) && $all_required_filled){
$error_message .= "<li>Not all required fields were filled out</li>";
$valid = false;
$all_required_filled = false;
}
//valid email address
if($key == 'email'){
if (!filter_var($value, FILTER_VALIDATE_EMAIL)) {
$error_message .= "<li>Invalid email format</li>";
$valid = false;
}
}
//captcha is valid
if($key == "captcha"){
if((int)$value !== (int)$_SESSION['veriword']){
$error_message .= "<li>The captcha was incorrect</li>";
$valid = false;
}
else{
$message .= "User entered {$value}. Correct answer was {$_SESSION['veriword']}";
}
continue;
}
}
基本上,如果验证码表单字段与验证码插件设置的会话变量匹配,脚本会在电子邮件中打印一行,列出用户输入的内容和正确的值。
当我错误地填写验证码时,我无法发送表单,并卡在页面上并显示错误消息。但是,不知何故,垃圾邮件机器人成功发送了表单,而没有列出表单字段和验证码值的行。所以它以某种方式完全绕过了 "if" 语句?我不确定发生了什么...
不要循环 $_POST,而是明确检查所需的输入:
if (isset($_POST['captcha'])) {
if (intval($_POST['captcha']) !== $_SESSION['veriword']) {
$error_message .= "<li>The captcha was incorrect</li>";
$valid = false;
}
} else {
$error_message .= "<li>The captcha was not submitted</li>";
$valid = false;
}
这是我用来检查填写的字段的脚本:
foreach($_POST as $key => $value){
//required fields
if(in_array($key, $required_fields) && empty($value) && $all_required_filled){
$error_message .= "<li>Not all required fields were filled out</li>";
$valid = false;
$all_required_filled = false;
}
//valid email address
if($key == 'email'){
if (!filter_var($value, FILTER_VALIDATE_EMAIL)) {
$error_message .= "<li>Invalid email format</li>";
$valid = false;
}
}
//captcha is valid
if($key == "captcha"){
if((int)$value !== (int)$_SESSION['veriword']){
$error_message .= "<li>The captcha was incorrect</li>";
$valid = false;
}
else{
$message .= "User entered {$value}. Correct answer was {$_SESSION['veriword']}";
}
continue;
}
}
基本上,如果验证码表单字段与验证码插件设置的会话变量匹配,脚本会在电子邮件中打印一行,列出用户输入的内容和正确的值。
当我错误地填写验证码时,我无法发送表单,并卡在页面上并显示错误消息。但是,不知何故,垃圾邮件机器人成功发送了表单,而没有列出表单字段和验证码值的行。所以它以某种方式完全绕过了 "if" 语句?我不确定发生了什么...
不要循环 $_POST,而是明确检查所需的输入:
if (isset($_POST['captcha'])) {
if (intval($_POST['captcha']) !== $_SESSION['veriword']) {
$error_message .= "<li>The captcha was incorrect</li>";
$valid = false;
}
} else {
$error_message .= "<li>The captcha was not submitted</li>";
$valid = false;
}