Re^7: Stop Form Hurling

OK, here's the full code that creates the image password:

$cities = "cities.txt";       # number/letters - city correspondences
$cities_st = "cities_st.txt"; # city standard file
$tmp = "temp.txt";            # temp file to keep the password

# choose random letters or numbers

@array = (0..9,a..z,A..Z);
srand;
foreach (1..5) {    
    $rand = int(rand scalar(@array));    
    push (@selected, $rand);
}

# save the chosen password to file

open TMP, ">$tmp";
print TMP @selected;
close TMP;

# open file with number/letter - cities correspondences

open CITIES, $cities;
while (<CITIES>) {
    for ($x; $x<5; $x++) {
        $match = $selected[$x];
        if (/\+$match\+(\w+)/) {$selected[$x] = $1;}
    }
}
close CITIES;

# erase file with number/letter - city correspondences

unlink $cities;

# read "cities_st.txt"

open CITIES_ST, $cities_st;
while (<CITIES_ST>) {
    /(\w+)/;
    push (@cities, $1);
}
close CITIES_ST;

# randomize cities

foreach (0..99) {
    $rand = int(rand scalar(@cities));
    splice (@cities, $rand, 1);
    push (@cities, $_);
}

# create new "cities.txt"

open CITIES, ">$cities";
foreach (a..z) {
    $city = 0;
    $out = "+",$_,"+",$cities[$city];
    $city++;
    print CITIES $out;
}
foreach (A..Z) {
    $city = 26;
    $out = "+",$_,"+",$cities[$city];
    $city++;
    print CITIES $out;
}
foreach (0..9) {
    $city = 51;
    $out = "+",$_,"+",$cities[$city];
    $city++;
    print CITIES $out;
}
close CITIES;

# print the html code

for ($i; $i<5; $i++){
    print "<img src='image_dir/$selected[$i].jpg' border=0>";
}
[download]

No hidden field is involved, which, of course, would have compromised any kind of security. The script that is called to check the password will read it from the $tmp file, erase it, and erase/create all the image files based on the file ($cities) that contains the new correspondences.

I don't think there is a way that a bot or even a mischievous individual could bypass this password check without hacking into the system first.

PS: Of course, the code that changes the correspondences is only included here for reference purposes. It should be included in the second perl script that checks the password as $cities should change together with the image files.

Comment on Re^7: Stop Form Hurling Download Code

Replies are listed 'Best First'.
Re^8: Stop Form Hurling by simonm (Vicar) on Nov 07, 2004 at 21:43 UTC
OK, here's the full code that creates the image password I understand what you're getting at, but the code you show looks untested and buggy ($city is reset to the same value at the top of each loop), and there are some structural problems with the implementation -- like, what happens if two people are trying to log in at once? (Not to mention that a bot writer could easily checksum the renamed images to recognize them from prior requests.) You could address the simultaneous-users issue by adding some kind of server-side storage with an opaque key for the session or attempt... Or take a look at how the other existing Captcha solutions handle this.	[reply]
Re^9: Stop Form Hurling by emav (Pilgrim) on Nov 08, 2004 at 14:42 UTC
Indeed, it is untested code. I wrote it in August when I started learning Perl. It was the "two people" situation, which you mentioned, that made me put off using it on my site's guestbook even though I don't think that such a problem could appear on a low-volume site like mine. As far as the checksuming bot is concerned... Man, you, older monks are masters in scrutiny! An amateur like me would never have imagined anything like that... Well, that's why I'd better stick with my current job as a high school teacher. ;-) Anyway, that's how far my limited experience with Perl managed to get me. Last week, I ordered Programming Perl. So, hopefully, once I've read it, I will be able to build on the code above and come up with a more comprehensive solution in the near future. Thanks for the pointers!	[reply]