in reply to Re^4: Stop Form Hurling
in thread Stop Form Hurling

This depends on the level of security you require. Of course, one could use a temp file which is written, read, and deleted on the fly (as we pass from one cgi script to the other) to transfer the info.

Replies are listed 'Best First'.
Re^6: Stop Form Hurling
by simonm (Vicar) on Nov 06, 2004 at 17:17 UTC
    This depends on the level of security you require.

    No; passing a random string in a hidden form field to match against the user input does not provide *any* level of security.

    What's the scenario you imagine this is going to protect you against?

[reply]
      OK, here's the full code that creates the image password: 
      $cities = "cities.txt";       # number/letters - city correspondences
$cities_st = "cities_st.txt"; # city standard file
$tmp = "temp.txt";            # temp file to keep the password

# choose random letters or numbers

@array = (0..9,a..z,A..Z);
srand;
foreach (1..5) {    
    $rand = int(rand scalar(@array));    
    push (@selected, $rand);
}

# save the chosen password to file

open TMP, ">$tmp";
print TMP @selected;
close TMP;

# open file with number/letter - cities correspondences

open CITIES, $cities;
while (<CITIES>) {
    for ($x; $x<5; $x++) {
        $match = $selected[$x];
        if (/\+$match\+(\w+)/) {$selected[$x] = $1;}
    }
}
close CITIES;

# erase file with number/letter - city correspondences

unlink $cities;

# read "cities_st.txt"

open CITIES_ST, $cities_st;
while (<CITIES_ST>) {
    /(\w+)/;
    push (@cities, $1);
}
close CITIES_ST;

# randomize cities

foreach (0..99) {
    $rand = int(rand scalar(@cities));
    splice (@cities, $rand, 1);
    push (@cities, $_);
}

# create new "cities.txt"

open CITIES, ">$cities";
foreach (a..z) {
    $city = 0;
    $out = "+",$_,"+",$cities[$city];
    $city++;
    print CITIES $out;
}
foreach (A..Z) {
    $city = 26;
    $out = "+",$_,"+",$cities[$city];
    $city++;
    print CITIES $out;
}
foreach (0..9) {
    $city = 51;
    $out = "+",$_,"+",$cities[$city];
    $city++;
    print CITIES $out;
}
close CITIES;

# print the html code

for ($i; $i<5; $i++){
    print "<img src='image_dir/$selected[$i].jpg' border=0>";
}

      [download]
      No hidden field is involved, which, of course, would have compromised any kind of security. The script that is called to check the password will read it from the $tmp file, erase it, and erase/create all the image files based on the file ($cities) that contains the new correspondences.

      I don't think there is a way that a bot or even a mischievous individual could bypass this password check without hacking into the system first.

      PS: Of course, the code that changes the correspondences is only included here for reference purposes. It should be included in the second perl script that checks the password as $cities should change together with the image files.

[reply]
[d/l]
        OK, here's the full code that creates the image password

        I understand what you're getting at, but the code you show looks untested and buggy ($city is reset to the same value at the top of each loop), and there are some structural problems with the implementation -- like, what happens if two people are trying to log in at once? (Not to mention that a bot writer could easily checksum the renamed images to recognize them from prior requests.)

        You could address the simultaneous-users issue by adding some kind of server-side storage with an opaque key for the session or attempt... Or take a look at how the other existing Captcha solutions handle this.

[reply]

In Section Seekers of Perl Wisdom