Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.
Text_CAPTCHA Article Updated
By
Will Ellis
-
-
-
Last Updated on April 29, 2021
The author of Using PEAR’s Text_CAPTCHA to Secure Web Forms has published a small update that improves the conditional statement used to compare CAPTCHA phrases. This update can be found near the very end of the article, and the updated example follows:
<?php
session_start();
if (isset($_POST[‘captcha_phrase’], $_SESSION[‘captcha_phrase’]) &&
strlen($_SESSION[‘captcha_phrase’]) > 0 &&
$_POST[‘captcha_phrase’] === $_SESSION[‘captcha_phrase’])
{
/* Human */
}
else
{
/* Computer */
}
?>If you have implemented Text_CAPTCHA using the previously published method to compare CAPTCHA phrases, a vulnerability exists when a user’s session is not initialized. It is recommended that you initialize $_SESSION[‘captcha_phrase’] to a random string and also apply this update to your code.
The author wishes to thank Ilia Alshanetsky and Stefan Esser for their assistance.
