Incorrect all the time?

BoeingDrew

I have this security code script that stops bots from making automatic sign ups. The problem is that when I enter the correct combination of letters and number I always get the incorrect message. Here is the code that interprets the input and decides if it is valid...

<?php
if (isset($HTTP_POST_VARS["name"]) && isset($HTTP_POST_VARS["security_try"])) {
   //Set variables, and call checkSecurityImage
   $security_refid = $HTTP_POST_VARS["security_refid"];
   $security_try = $HTTP_POST_VARS["security_try"];
   $checkSecurity = checkSecurityImage($security_refid, $security_try);
   //Depending on result, tell user entered value was correct or incorrect
   if ($checkSecurity) {
      $validnot = "correct";
   } else {
      $validnot = "not correct. Please try again";
   }
   //Write output 
   echo("<b>You entered this as the security text:</b><br>\n
   ".$security_try."<br>\n
   This is ".$validnot.".<br>\n
   -------------------------------<br><br>\n
   ");
}
?>

And here is the rest of the code...

<?php
//Define function to insert security image
function insertSecurityImage($inputname) {
   $refid = md5(mktime()*rand());
   $insertstr = "<img src=\"securityimage.php?refid=".$refid."\" alt=\"Security Image\">\n
   <input type=\"hidden\" name=\"".$inputname."\" value=\"".$refid."\">";
   echo($insertstr);
}

//Define function to check security image confirmation 
function checkSecurityImage($referenceid, $enteredvalue) { 
//Connect to database 
   $link = mysql_connect("localhost","username","password"); 
if(! $link) 
die ("Couldn't connect to database"); 

$db = "database"; 
mysql_select_db($db) or die ("Couldn't select database"); 
   $referenceid = mysql_escape_string($referenceid); 
   $enteredvalue = mysql_escape_string($enteredvalue); 
$tempQuery = mysql_query("SELECT ID FROM security_images WHERE referenceid='". 
$referenceid."' AND hiddentext='".$enteredvalue."'") or die(mysql_error()); 
if (mysql_num_rows($tempQuery)) { 
      return true; 
   } else { 
      return false; 
   }
}
?>

And finally the SQL code...

CREATE TABLE `security_images` (
   `ID` int(11) NOT NULL auto_increment,
   `insertdate` datetime NOT NULL default '0000-00-00 00:00:00',
   `referenceid` varchar(100) NOT NULL default '',
   `hiddentext` varchar(100) NOT NULL default '',
   PRIMARY KEY (`ID`)
) TYPE=MyISAM;

You can view the working, well almost working demo at http://www.q2link.com/test/Signupdemo.php. I would appreciate any help. Thanks for reading! 🙂

laserlight

checkSecurity() returns true if any rows are returned.
As such, $validnot = "correct" if any rows are returned.
Is that what you want?

BoeingDrew

I don't quite understand what you were trying to say, but I just want $validnot = "correct" to return true when the input is correct and $validnot = "not correct. Please try again" to return true when the input is incorrect. Thanks.

laserlight

Unfortunately, you are not clear what is correct and what is not correct.

I can only help you to help yourself, and here's how: decide what exactly are the conditions for correctness, and then check that your code actually does what you think it should.