How to handle Verification code bypass _php tutorial

Let's start with an analysis of the verification code release process.
1, displaying the form
2, display the Verification code (the program that generates the verification code), encrypt the verification code and put it into session or cookie
3, the user submits the form
4, check the verification code is correct, data is valid after writing to the database tutorial completed

If the user publishes another, under normal circumstances, will again visit the form page, Verification code Image passive update, session and Cookie has changed
But the operation of the machine does not have to use the form page, it can directly simulate post to the server program to send data, so that the verification Code program is not called, of course, the session and cookie store encryption verification code is the last value, there is no update, In this way, the data sent directly through post, without regard to the verification code, the verification code is not the same as fake!

Therefore, after verifying the verification code, the session and the value of the cookie is emptied, and then do the data legitimacy judgment, and even storage!
Such a loophole is to be mended!

if (MD5 ($_post[' vcode ')) = = $_session[' Vcode ']) {
$_session[' Vcode ']= ';//This sentence is very important
} else {
Exit ' Verification code is wrong! ';
}
The next process
......
?>

A program that generates a CAPTCHA picture

Session_Start ();
......
$v = new Authcode ();
$vcode = $v->getauthcode ();
$_session[' vcode '] = MD5 ($vcode);
........
?>

Form page

How the verification code is bypassed

http://www.bkjia.com/PHPjc/632363.html www.bkjia.com true http://www.bkjia.com/PHPjc/632363.html techarticle We first analyze, there is a verification code release process 1, display Form 2, display the Verification code (the program used to generate verification code), the verification code is encrypted and placed in session or Cookie 3, ...

