Add Your VPN Review

Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.

Text_CAPTCHA Article Updated

By Will Ellis
Last Updated on April 29, 2021

The author of Using PEAR’s Text_CAPTCHA to Secure Web Forms has published a small update that improves the conditional statement used to compare CAPTCHA phrases. This update can be found near the very end of the article, and the updated example follows:

if (isset($_POST[‘captcha_phrase’], $_SESSION[‘captcha_phrase’]) &&
strlen($_SESSION[‘captcha_phrase’]) > 0 &&
$_POST[‘captcha_phrase’] === $_SESSION[‘captcha_phrase’])
/* Human */
/* Computer */

If you have implemented Text_CAPTCHA using the previously published method to compare CAPTCHA phrases, a vulnerability exists when a user’s session is not initialized. It is recommended that you initialize $_SESSION[‘captcha_phrase’] to a random string and also apply this update to your code.

The author wishes to thank Ilia Alshanetsky and Stefan Esser for their assistance.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related news