Is your PHP Verification Code secure?

Source: Internet
Author: User
Verification codes are mainly used to prevent brute-force cracking, malicious bumping, and automatic submission. I will not describe them here. The types of verification codes include numbers, letters, and even Chinese characters. However, no matter how powerful your verification code is, as long as you make the following mistakes in Form Verification, your verification code will be useless!

The general idea of a Verification Code is to access a script file at the place where you log in each time. This file generates an image containing the verification code and writes the value to the session, when submitting the verification code, verify the login script to determine whether the submitted verification code is consistent with that in the session.

The problem arises. After the login password is incorrect, we will not access the file that generates the verification image. If the verification code in the session is not cleared, the verification code will be the same as the previous one, the verification code mechanism, which has been hard-built, is just a false one.

Next let's take a look at the problematic code:
Logon part:

<TD> Administrator name: </TD>
<TD> <input type = "text" name = "username"/> </TD>
<TD> administrator password: </TD>
<TD> <input type = "password" name = "password"/> </TD>
<TD> Verification Code: </TD>
<TD> <input type = "text" name = "CAPTCHA" onkeyup = "presscaptcha (this)"/> </TD>
<TD colspan = "2" align = "right">


There is no problem here. Let's look at the login verification code (I think this verification idea is also used by most people ):

<? PHP
// -- Verify the login information
If ($ _ request ['ac'] = 'signature ')
Include ('../Includes/cls_captcha.php ');

/* Check whether the verification code is correct */
$ Validator = new CAPTCHA ();
If (! $ Validator-> check_word ($ _ post ['captcha '])
Sys_msg ($ _ Lang ['captcha _ error'], 1 );

/* Check whether the password is correct */
$ SQL = "select user_id, user_name, password, action_list from". $ ECs-> table ('admin _ user ').
"Where user_name = '$ _ post [username]' and Password = '". MD5 ($ _ post ['Password']). "'";
$ ROW = $ db-> getrow ($ SQL );

If ($ row)
// Login successful
Set_admin_session ($ row ['user _ id'], $ row ['user _ name'], $ row ['Action _ list']);

// Update the Last Logon Time and IP address
$ Db-> execute ("Update". $ ECs-> table ('admin _ user ').
"Set last_time = '". date ('Y-m-d h: I: s', time ()). "', last_ip = '". real_ip (). "'".
"Where user_id = $ _ session [admin_id]") or die ($ db-> errormsg ());

If (isset ($ _ post ['member'])
Setcookie ('ecscp [admin_id] ', $ row [0], time () + 3600*24*360 );
Setcookie ('ecscp [admin_pass] ', MD5 ($ row ['Password']. $ _ CFG ['hash _ Code']), time () + 3600*24*360 );

Header ('location :./');
Sys_msg ($ _ Lang ['login _ faild'], 1 );

The problem lies in the above Code. After checking the incorrect password, the verification code is not updated, so that we can remove the verification code image on the login page, if you use a URL to access the verification code page, you can submit the user name, password, and the verification code you just obtained to implement brute-force cracking. Using this method, you can also implement irrigation and ticket flushing.
You can see the following picture to enhance your understanding.

Solution: We need to update the verification code after checking the incorrect password. For messages and other types, we also need to update the verification code after the submission is successful.

Security is like this. We always want to make our programs safer, but in general, we can't jump out of the conventional thinking, as a result, many "unconventional vulnerabilities" or "defects" occur in our programs. In short, they are not perfect. In addition to pointing out the problem above, I also hope that everyone can take action and re-examine their programs with an "unconventional" vision, write more small issues that have not been found before, so that everyone can improve them together!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.