Solved

why doesnt my form recognize mathguard?

Posted on 2007-12-05
19
373 Views
Last Modified: 2013-12-13
Hi everyone I experienced some spam bot problems and I think I have stopped the pest by adding a JS function but before I discovered that little trick I attempted to use captcha and mathguard and I cant seem to get either to work.

I can submit a comment but the math guard question is ignored so if i leave the math guard field blank then it will still post a comment. I would like to fix this so I can't submit a comment unless I have answered the correct math guard question.

I have uploaded all the files in use to this url:
http://www.newmedia.lincoln.ac.uk/jecgardner/mathguard/
journal.phps (comments form)
process.phps (posts comments into database)
ClassMathGuard.phps (mathguard)

You can also see my site at this url: http://www.newmedia.lincoln.ac.uk/jecgardner/index.php?page=2

Please help me get the mathguard to work
0
Comment
Question by:shtoom
  • 10
  • 9
19 Comments
 
LVL 31

Expert Comment

by:Frosty555
ID: 20417267
In your process.php file, you have a couple references to the $_REQUEST array. Change this to the $_POST array.

If this does not solve the problem, put some debug code in for me, re-run it and tell me what the output is:
In Process.php, change this code:
 

/* this condition checks the user input. Don't change the condition, just the body within the curly braces */ 

    if (MathGuard :: checkResult($_REQUEST['mathguard_answer'], $_REQUEST['mathguard_code'])) 

    { 

        //insert code to be executed when user enters correct answer 

        header("Location: journal_test.php"); 

    } 

    else 

    { 

        die("Bad answer, go back to school !"); 

    } 

} 
 
 
 
 

To this:
 
 
 
 

/* this condition checks the user input. Don't change the condition, just the body within the curly braces */ 
 

    echo "<pre>POST ARRAY:\n";

    print_r($_POST);

    echo "\n\n\nREQUEST ARRAY:\n";

    print_r($_REQUEST);
 

    if (MathGuard :: checkResult($_REQUEST['mathguard_answer'], $_REQUEST['mathguard_code'])) 

    { 

        die("Debug halt. Correct Answer"); 

    } 

    else 

    { 

        die("Bad answer, go back to school !"); 

    } 

} 

Open in new window

0
 
LVL 31

Expert Comment

by:Frosty555
ID: 20417296
Also I can't help but notice that Journal.php is posting to "../process.php" and includes "ClassMathGuard.php", while process.php includes "../ClassMathGuard.php". How can this be?

I'm not sure if this has anything to do with anything but I sense a bit of incorrect-path stuff going on here. Just make sure you're editing the right file and it's going to the right place on your server.
0
 

Author Comment

by:shtoom
ID: 20420932
Hi I applied your code and I also changed the path to process.php on line 7 to this:
header("Location: journal.php");

I have uploaded a new process.phps file with your updated code being used. Still no luck my friend. I am able to post a comment without entering anything into the mathguard field or if i enter an incorrect answer in mathguard it still posts the comment :/
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 20424655
As it stands right now, your page should never let anything through. It should either die with "Debug Halt" if everything was okay, or it should die with "Bad Answer" if it failed due to mathguard. It should output the contents of those two arrays as debug output.

Can you run through it and tell me what the output is? I can't find a live version going on your site
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 20424718
Okay I have it working on my machine.

There were a number of issues that may or may not be a problem for you.

1) I changed the form's target in journal.php to "process.php", instead of "../process.php"

2) The two lines in journal.php:

<p><input type="hidden" name="entry" id="entry" value="<?php echo $id; ?>" />
<input type="hidden" name="timestamp" id="timestamp" value="<?php echo $commenttimestamp; ?>" />

The $id and the $commenttimestamp variable do not exist, and so it generates php errors. These errors are invisible because they're within a hidden input box form element. I just removed them. You're gonna want to make sure these variables are working

3) I put <Script> tags around your javascript validation code in journal.php

The code works on my testing server now.

Please let me know what the debug code I gave you above outputs when you run it. That will help us debug this the next step.
0
 

Author Comment

by:shtoom
ID: 20425052
cool now I can see the post and request arrays. This is the browser message I got after entering and submitting all the correct information in every field:

POST ARRAY:
Array
(
    [entry] =>
    [timestamp] =>
    [name] => aadsad
    [email] => asdasd@a.com
    [url] => http://asdad
    [comment] => asdasd
    [mathguard_answer] => 2
    [mathguard_code] => 029965943be49743e54fa5fdc79f8702
    [submit_comment] =>
    [submit_comment_button] => Add Comment
)



REQUEST ARRAY:
Array
(
    [entry] =>
    [timestamp] =>
    [name] => aadsad
    [email] => asdasd@a.com
    [url] => http://asdad
    [comment] => asdasd
    [mathguard_answer] => 2
    [mathguard_code] => 029965943be49743e54fa5fdc79f8702
    [submit_comment] =>
    [submit_comment_button] => Add Comment
    [phpbb2mysql4_data] => a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}
)
Debug halt. Correct Answer
0
 

Author Comment

by:shtoom
ID: 20426917
Why does the REQUEST array print everything input that the form has plus it has an extra line that the post array doesnt being [phpbb2mysql4_data] ?

I can see why the POST array would echo all the input values in the form because the forms method is post.

The only time REQUEST is being used is in the mathguard if statement on process.php.

Is there any programs I can use to debug code or do you know this language fluently to recognize mistakes and to be able to correct code? I am using Dreamweaver
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 20434683
$_REQUEST is an array that contains everything from $_GET, $_POST and $_COOKIE. Probably that extra entry is just a cookie put there from something else (looks like a phpbb forum), so it's nothing you need to worry about.

Well your code looks fine. Your output looks fine. It works on my test server, try doing it with an intentionally wrong answer and see if it correctly dies with "bad answer go back to school".

There do exist single-stepping PHP debuggers but I don't use any ATM. To my knowledge it is a bit of a pain to get them set up. I just put lots of echo statements in my code so I can see exactly what the state of all the variables is just as the code executes. That usually reveals the problem.
0
 

Author Comment

by:shtoom
ID: 20434815
with the wrong answer the form says "Bad answer, go back to school !"
Should I delete this to get the comments form to work?
 die("Debug halt. Correct Answer");
    }
    else
    {
        die("Bad answer, go back to school !");
    }
}


I have a few more questions and I will raise the points if you can help?

1. Does my form prevent SQL injection? If not can you help me to add SQL injection prevention code?

2. If I type an address in the comments text area i.e. www.experts-exchange.com the link won't be active. Can you help me make this possible please?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:shtoom
ID: 20451678
hello?
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 20472647
Looks like your form is working properly now. Now take out that die("debug halt. correct answer") and replace it with the redirect() you had before. Your code *should* die on an incorrect answer, perhaps with a link to go back to the form. Ideally it would be nice to redirect back to the original form and preserve all of the comments the user typed in but you can code that up at your own discretion.

Your code is protected from html injection, but not from sql injection. To do this, simply feed your data through mysql_real_escape_string(). e.g. your code in process.php:

    $entry = htmlspecialchars(strip_tags($_POST['entry']));
    $timestamp = htmlspecialchars(strip_tags($_POST['timestamp']));
    $name = htmlspecialchars(strip_tags($_POST['name']));
    .... etc

Should be instead

    $entry = mysql_real_escape_string(htmlspecialchars(strip_tags($_POST['entry'])));
    $timestamp = mysql_real_escape_string(htmlspecialchars(strip_tags($_POST['timestamp'])));
    ... etc

0
 
LVL 31

Expert Comment

by:Frosty555
ID: 20472667
Replacing addresses with html links can be easily done with preg_replace. According to a commenter on php.net's forums (source: http://www.php.net/manual/en/function.preg-replace.php#79204).

I've attached some code that should do it. You pass any text into the hyperlink() function defined below, and it will replace the links with html <a href...> and return that.

This code you would put on the page where you DISPLAY the comments. It should be done on the fly every time data is retrieved from the database is displayed on the screen. It should not be done at the point where the user submits the comment otherwise all the tags will get stripped out by your validation code.

<?php

function hyperlink($text) {

    // match protocol://address/path/file.extension?some=variable&another=asf%

    $text = preg_replace("/\s([a-zA-Z]+:\/\/[a-z][a-z0-9\_\.\-]*

            [a-z]{2,6}[a-zA-Z0-9\/\*\-\?\&\%\=]*)([\s|\.|\,])/i",

            " <a href=\"$1\" target=\"_blank\">$1</a>$2", $text);

    // match www.something.domain/path/file.extension?some=variable&another=asf%

    $text = preg_replace("/\s(www\.[a-z][a-z0-9\_\.\-]*

            [a-z]{2,6}[a-zA-Z0-9\/\*\-\?\&\%\=]*)([\s|\.|\,])/i",

            " <a href=\"http://$1\" target=\"_blank\">$1</a>$2", $text);

    // match name@address

    $text = preg_replace("/\s([a-zA-Z][a-zA-Z0-9\_\.\-]*[a-zA-Z]*

            \@[a-zA-Z][a-zA-Z0-9\_\.\-]*[a-zA-Z]{2,6})([\s|\.|\,])/i",

            " <a href=\"mailto://$1\">$1</a>$2", $text);

    return $text;

}

?>
 

PS - please note that the line breaks and spaces/tabs in the method's regular expressions need to be removed before using it. 

Open in new window

0
 

Author Comment

by:shtoom
ID: 20481679
I changed: debug halt. correct answer
 to: header("Location: entry/journal.php?id=" . $entry);"

When I fill all fields with the correct input the browser gives me this error message:
Warning:  Cannot modify header information - headers already sent by (output started at /home/webmedia/public_html/jecgardner/entry/process.php:9) in /home/webmedia/public_html/jecgardner/entry/process.php on line 16

Fatal error:  Call to undefined function:  checkresult() in /home/webmedia/public_html/jecgardner/entry/process.php on line 38

I have uploaded the process.phps:
http://www.newmedia.lincoln.ac.uk/jecgardner/mathguard/process.phps
0
 

Author Comment

by:shtoom
ID: 20481764
I have now added mysql_real_escape_string to process.php

I have also added the function hyperlink($text) to my blog (http://www.newmedia.lincoln.ac.uk/jecgardner) and when I entered a new blog entry with an URL in the text area the URL wasnt active on the index page?
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 20497616
The reason you're getting errors when you call header(), is because the debug code we added earlier is still present in your script. Remove or comment out the print_r() and echo statements from your code.

checkresult() never made any sense to me, I don't see why it is there. I assumed it related to some other part of your code you were not showing me, but if you do not know what it is either you can probably just remove the line.

Not sure about your blog. Make sure you are calling hyperlink and echoing out the text that the function returns. Also make sure you removed the carriage returns and spaces as instructed at the bottom of the code I posted.  The regular expression passed to the preg_replace() function calls should be one long line of text.
0
 

Author Comment

by:shtoom
ID: 20502053
I have deleted the print_r() and echo statements and now when I submit and valid entry the next page shows: Invalid ID specified.
If I enter wrong info in the fields then I get the "go back to school" bad answer response.

I have put the function hyperlink($text) at the top of my blog (index) code. I am not sure how to correctly echo out the function? My guess would be to add hyperlink to this line:
echo "<br /><br />".smiley(showinweb($row['entry']));
Please can you have a look at the source? Maybe you can see why the links dont display with a text entry?
http://www.newmedia.lincoln.ac.uk/jecgardner/mathguard/index.phps

I have also updated the process.phps
http://www.newmedia.lincoln.ac.uk/jecgardner/mathguard/process.phps
0
 
LVL 31

Accepted Solution

by:
Frosty555 earned 300 total points
ID: 20505224
Okay, well mathguard is working fine now. We just need to fix up your other code.

1) The smiley() function is being used as though it returns a value. It does not. It happens to just echo out the text which works, but we neet to change it so it returns a value properly. replace the "echo str_replace(..." with "return str_replace(...".

2) You have to use the hyperlink function. So change:
       "<br /><br />".smiley(showinweb($row['entry']));
to
       "<br /><br />".hyperlink(smiley(showinweb($row['entry'])));

3) The "invalid ID" is happening because you are passing this $entry variable in as the ID parameter of the page when you redirect. I don't know what $entry is, it isn't defined on the page. Did you intend to use the value of the ENTRY hidden field that you put in your form when the user submitted a comment? In that case you need to change it to $_REQUEST["entry"].

However, it looks like your form is not even generating the right value for that entry field. And by the looks of it, I think it is because on your journal.php you also just used the "$id" variable, which is not defined anywhere. Again, did you intend on using the "id" attribute that was passed in the address of the page? If so, change $id in journal.php to $_REQUEST["id"]
0
 

Author Comment

by:shtoom
ID: 20509220
Hi frosty!
I have made the changes you told me to do in step 1 and 2.

I made a new blog entry and typed www.test.com in the main text area and when I viewed my index page the link was still not being noticed by the hyperlink function?

Step 3:
The long text area that is posted with the blog entry goes into the db table field called entry. There is also a table in the db just for user comments and this also has a field called entry. When the user submits a comment it is stored in the comments entry field and it should take the user back to ID page of the blog entry showing the blog entry along with the new user comment.
I am not sure why I have a hidden field called entry in the comments form.. I did have an annoying spam bot and I tried alot of prevention techniques and this could of got caught up in it.. I dont think I need the hidden entry field in the comment form?
0
 

Author Comment

by:shtoom
ID: 20579084
hello?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now