Home > Archive > PHP Mirrors > April 2005 > cvs: php-bugs-web /include functions.inc
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
cvs: php-bugs-web /include functions.inc
|
|
| Helgi Þormar Þorbjörnsson 2005-04-21, 3:57 am |
| dufuz Wed Apr 20 21:58:56 2005 EDT
Modified files:
/php-bugs-web/include functions.inc
Log:
CAPTCHA related functions and a mail to function
http://cvs.php.net/diff.php/php-bug...1&r2=1.152&ty=u
Index: php-bugs-web/include/functions.inc
diff -u php-bugs-web/include/functions.inc:1.151 php-bugs-web/include/functions.inc:1.152
--- php-bugs-web/include/functions.inc:1.151 Mon Apr 18 04:04:39 2005
+++ php-bugs-web/include/functions.inc Wed Apr 20 21:58:55 2005
@@ -489,6 +489,10 @@
$errors[] = "You must supply a password for this bug report.";
}
+ if (!validate_captcha()) {
+ $errors[] = 'Incorrect CAPTCHA';
+ }
+
return $errors;
}
@@ -639,4 +643,114 @@
}
return ($ip ? $ip : $REMOTE_ADDR);
}
+
+/**
+ * Sets <var>$_SESSION['captcha']</var> and
+ * <var>$_SESSION['captcha_time']</var> then prints the XHTML that
+ * displays a CAPTCHA image and a form input element
+ *
+ * Only generate a new <var>$_SESSION['captcha']</var> if it doesn't exist
+ * yet. This avoids the problem of the CAPTCHA value being changed but the
+ * old image remaining in the browser's cache. This is necessary because
+ * caching can not be reliably disabled.
+ *
+ * Use upper case letters to reduce confusion with some of these fonts.
+ * Input is passed through strtoupper() before comparison.
+ *
+ * Don't use "I" or "O" to avoid confusion with numbers. Don't use digits
+ * because some of the fonts don't handle them.
+ *
+ * @return string the CAPTCHA image and form intut
+ *
+ * @see validate_captcha(), captcha-image.php
+ */
+function generate_captcha()
+{
+ if (!isset($_SESSION['captcha'])) {
+ $_SESSION['captcha'] = '';
+ $useable = 'ABCDEFGHJKLMNPQRSTUVWXYZ';
+ for ($i = 0; $i < 4; $i++) {
+ $_SESSION['captcha'] .= substr($useable, mt_rand(0, 23), 1);
+ }
+ $_SESSION['captcha_time'] = time();
+ }
+ return 'Type <img src="/captcha-image.php?x=' . time()
+ . '" alt="If you are unable to'
+ . ' read this image, click the help link to the right of'
+ . ' the input box" align="top" /> into this box...'
+ . ' <input type="text" size="4" maxlength="4" name="captcha" />'
+ . ' (<a href="/captcha-help.php" target="_blank">help</a> )'
+ . ' <br />If this image is hard to read, reload the page.';
+
+}
+
+/**
+ * Check if the CAPTCHA value submitted by the user in
+ * <var>$_POST['captcha']</var> matches <var>$_SESSION['captcha']</var>
+ * and that the submission was made within the allowed time frame
+ * of the CAPTCHA being generated
+ *
+ * If the two values aen't the same or the length of time between CAPTCHA
+ * generation and form submission is too long, this function will unset()
+ * <var>$_SESSION['captcha']</var>. Unsetting it will cause
+ * generate_captcha() to come up with a new CAPTCHA value and image.
+ * This prevents brute force attacks.
+ *
+ * Similarly, if the submission is correct <var>$_SESSION['captcha']</var>
+ * is unset() in order to keep robots from making multiple requests with
+ * a correctly guessed CAPTCHA value.
+ *
+ * @param int $max_age the length of time in seconds since the CAPTCHA was
+ * generated during which a submission should be
+ * considered valid. Default is 300 seconds
+ * (aka 5 minutes).
+ *
+ * @return bool true if input matches captcha, false if not
+ *
+ * @see generate_captcha(), captcha-image.php
+ */
+function validate_captcha($max_age = 300)
+{
+ if (!isset($_POST['captcha']) ||
+ !isset($_SESSION['captcha']) ||
+ (time() - $_SESSION['captcha_time']) > $max_age ||
+ $_SESSION['captcha'] != strtoupper($_POST['captcha']))
+ {
+ unset($_SESSION['captcha']);
+ unset($_SESSION['captcha_time']);
+ return false;
+ } else {
+ unset($_SESSION['captcha']);
+ unset($_SESSION['captcha_time']);
+ return true;
+ }
+}
+
+/**
+ * Turns the provided email address into a "mailto:" hyperlink.
+ *
+ * The link and link text are obfuscated by alternating Ord and Hex
+ * entities.
+ *
+ * @param string $email the email address to make the link for
+ * @param string $linktext a string for the visible part of the link.
+ * If not provided, the email address is used.
+ * @param string $extras a string of extra attributes for the <a> element
+ *
+ * @return string the HTML hyperlink of an email address
+ */
+function make_mailto_link($email, $linktext = '', $extras = '')
+{
+ $tmp = '';
+ for ($i = 0, $l = strlen($email); $i<$l; $i++) {
+ if ($i % 2) {
+ $tmp .= '&#' . ord($email[$i]) . ';';
+ } else {
+ $tmp .= '&#x' . dechex(ord($email[$i])) . ';';
+ }
+ }
+
+ return '<a ' . $extras . ' href="mailto:'
+ . $tmp . '">' . ($linktext != '' ? $linktext : $tmp) . '</a>';
+}
?>
| |
| Gabor Hojtsy 2005-04-21, 8:56 am |
| > dufuz Wed Apr 20 21:58:56 2005 EDT
>
> Modified files:
> /php-bugs-web/include functions.inc
> Log:
> CAPTCHA related functions and a mail to function
Congratulations! Now I get an "Incorrect CAPTCHA" error when trying to
*developer update* a bug report... There is no captcha displayed on the
submission page...
Goba
| |
|
| On Thu, 2005-04-21 at 08:12 +0000, Gabor Hojtsy wrote:
>
> Congratulations! Now I get an "Incorrect CAPTCHA" error when trying to
> *developer update* a bug report... There is no captcha displayed on the
> submission page...
Ohh, dohhh, I'm really sorry about that, it shouldn't have been in that
check in, my intentions were just to check in things that wouldn't
affect bug reporting/updating just yet :(
My internet connection went down shortly after that commit and it just
came up again, so sorry for the slow reaction, would tho have been okey
for you to comment it out to get everything working :)
I'll commit the rest of the captcha stuff after I catch Jani sometime on
irc.
- Helgi
| |
| Gabor Hojtsy 2005-04-21, 8:56 am |
| >>>dufuz Wed Apr 20 21:58:56 2005 EDT
>
> Ohh, dohhh, I'm really sorry about that, it shouldn't have been in that
> check in, my intentions were just to check in things that wouldn't
> affect bug reporting/updating just yet :(
>
> My internet connection went down shortly after that commit and it just
> came up again, so sorry for the slow reaction, would tho have been okey
> for you to comment it out to get everything working :)
Well, touching the bug system is not for mortal human beings. :) So I
admire you for hacking around there, but not much people will go in,
understand and fix that code.
Goba
| |
| Helgi Þormar 2005-04-21, 8:56 am |
| On Thu, 2005-04-21 at 11:01 +0000, Gabor Hojtsy wrote:
>
> Well, touching the bug system is not for mortal human beings. :) So I
> admire you for hacking around there, but not much people will go in,
> understand and fix that code.
Hehe, well I (and Daniel C.) do maintain the bug system for pear and
pecl so I have some what understanding on the code :P
It was in similar state as php-bugs-web when I started poking around so
I might probably update php-bugs-web also, we'll see, if time permits
me ;)
- Helgi
| |
| Gabor Hojtsy 2005-04-21, 8:56 am |
| >>Well, touching the bug system is not for mortal human beings. :) So I
>
> Hehe, well I (and Daniel C.) do maintain the bug system for pear and
> pecl so I have some what understanding on the code :P
>
> It was in similar state as php-bugs-web when I started poking around so
> I might probably update php-bugs-web also, we'll see, if time permits
> me ;)
Well, ideally it should be a lot more modular, and a lot less hackish :)
Whether it is possible to do depends on the available willingness of
those involved.
Goba
| |
| Helgi Þormar 2005-04-21, 8:56 am |
| On Thu, 2005-04-21 at 11:13 +0000, Gabor Hojtsy wrote:
> Well, ideally it should be a lot more modular, and a lot less hackish :)
> Whether it is possible to do depends on the available willingness of
> those involved.
Yeah that's very true, think doing a little register global cleanup
would tho be a good start.
I'll look into in middle of May if no one beats me to it (which I very
much doubt ;))
- Helgi
| |
| Philip Olson 2005-04-21, 3:56 pm |
| > > Well, ideally it should be a lot more modular, and a lot less hackish :)
>
> Yeah that's very true, think doing a little register global cleanup
> would tho be a good start.
>
> I'll look into in middle of May if no one beats me to it (which I very
> much doubt ;))
I (and assume others) started this process once but realized
it isn't worth it. There is a confirmed rumor that a new
bug system is being written from scratch (by Jani) so, well,
it just doesn't seem worth it unless you're really bored :)
Regards,
Philip
| |
| Helgi Þormar 2005-04-21, 3:56 pm |
| On Thu, 2005-04-21 at 13:45 +0000, Philip Olson wrote:
>
> I (and assume others) started this process once but realized
> it isn't worth it. There is a confirmed rumor that a new
> bug system is being written from scratch (by Jani) so, well,
> it just doesn't seem worth it unless you're really bored :)
Well, I know he started something new, but he hasn't done very much to
it atm :-)
Moving the code over to a register global off safe thing doesn't take
very long time, specially since we have it already done in
pear/peclweb :)
So we'll just see what happens.
- Helgi
| |
| Gabor Hojtsy 2005-04-21, 3:56 pm |
| >>>Well, ideally it should be a lot more modular, and a lot less hackish :)
>
> I (and assume others) started this process once but realized
> it isn't worth it. There is a confirmed rumor that a new
> bug system is being written from scratch (by Jani) so, well,
> it just doesn't seem worth it unless you're really bored :)
Wow, really?
Goba
|
|
|
|
|