help implementing asirra captcha

trustedruss

I’m trying to implement a new type of captcha for a login. I go the login code from this link. http://www.evolt.org/node/60384
The captcha code is coming from this one…http://research.microsoft.com/asirra/installation.aspx
I installed it here. www.soundmethodmarketing.com/register.php
It seems to work except that it doesn’t do the validation. I know I missed something because it’s letting me register even if I don’t choose the cats. I think it’s because I don’t understand how to do this part. Can you look at this and see if you can identify what I missed? My code is below.
…Step 4. Have your back-end form processor validate that the challenge has been passed.
This is a critical step; without it, clients can simply bypass Asirra by disabling or circumventing the Asirra JavaScript.

If a client successfully passes an Asirra challenge, our JavaScript will set a hidden input field in your form called Asirra_Ticket. The value of this field will be a special string that your form processor can use to verify that the client has actually passed the challenge.

When your processor receives form data, pass the contents of the Asirra_Ticket field to the following URL (replace FORMDATA with the value of Asirra_Ticket):
http://challenge.asirra.com/cgi/Asirra?action=ValidateTicket&ticket=FORMDATA

The result will be a bit of XML that either indicates the ticket is valid:
<AsirraValidation>
<Result>Pass</Result>
<Debug></Debug>
</AsirraValidation>
...or that it isn't:
<AsirraValidation>
<Result>Fail</Result>
<Debug>exceptions.Exception: invalid ticket format</Debug>
</AsirraValidation>
Note that a ticket can only be redeemed once. Any subsequent attempt to validate the same ticket will result in failure.

Here is the code I am using for the register.php page (the exampleservice.php code is below this register.php code)
<html>
<title>Sound Method Signup Page</title>
<head>

function HumanCheckComplete(isHuman)
{
if (isHuman)
{
formElt = document.getElementById("mainForm");
formElt.submit();
}
else
{
alert("Please correctly identify the cats.");
return false;
}
}

</script>
</head>

<body>
<h3>
Hey humans, sign up today for an account with Sound Method Marketing LLC!
</h3>

</body>
</html>
<?
/**
Register.php

Displays the registration form if the user needs to sign-up,
or lets the user know, if he's already logged in, that he
can't register another name.

Written by: Jpmaster77 a.k.a. The Grandmaster of C++ (GMC)
Last Updated: August 19, 2004
*/
include("include/session.php");
?>

<html>
<title>Registration Page</title>
<body>

<?
/
The user is already logged in, not allowed to register.
/
if($session->logged_in){
echo "<h1>Registered</h1>";
echo "<p>We're sorry <b>$session->username</b>, but you've already registered. "
."<a href=\"main.php\">Main</a>.</p>";
}
/
The user has submitted the registration form and the
results have been processed.
/
else if(isset($SESSION['regsuccess'])){
/ Registration was successful /
if($SESSION['regsuccess']){
echo "<h1>Registered!</h1>";
echo "<p>Thank you <b>".$SESSION['reguname']."</b>, your information has been added to the database, "
."you may now <a href=\"main.php\">log in</a>.</p>";
}
/ Registration failed /
else{
echo "<h1>Registration Failed</h1>";
echo "<p>We're sorry, but an error has occurred and your registration for the username <b>".$SESSION['reguname']."</b>, "
."could not be completed.<br>Please try again at a later time.</p>";
}
unset($SESSION['regsuccess']);
unset($SESSION['reguname']);
}
/**
The user has not filled out the registration form yet.
Below is the page with the sign-up form, the names
of the input fields are important and should not
be changed.
/
else{
?>

<h1>Register</h1>
<?
if($form->num_errors > 0){
echo "<td><font size=\"2\" color=\"#ff0000\">".$form->num_errors." error(s) found</font></td>";
}
?>
<form action="process.php" method="POST">
<table align="left" border="0" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30" value="<? echo $form->value("user"); ?>"></td><td><? echo $form->error("user"); ?></td></tr>
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30" value="<? echo $form->value("pass"); ?>"></td><td><? echo $form->error("pass"); ?></td></tr>
<tr><td>Email:</td><td><input type="text" name="email" maxlength="50" value="<? echo $form->value("email"); ?>"></td><td><? echo $form->error("email"); ?></td></tr>
<tr><td colspan="2" align="right">
<input type="hidden" name="subjoin" value="1">
<br><input type="Submit" value="Join!" onClick="javascript:Asirra_CheckIfHuman(HumanCheckComplete)">
<tr><td colspan="2" align="left"><a href="main.php">Back to Main</a></td></tr>
</table>
</form>
<form action="ExampleService-PHP.php" method="get" id="mainForm">
<br><script type="text/javascript" src="//challenge.asirra.com/js/AsirraClientSide.js"></script>
<script type="text/javascript">
// You can control where the big version of the photos appear by
// changing this to top, bottom, left, or right
asirraState.SetEnlargedPosition("bottom");

                                            // You can control the aspect ratio of the box by changing this constant
                                            asirraState.SetCellsPerRow(4);
                            </script>
                            <br>
            </form>

<?
}
?>

</body>
</html>
Here is the exampleservice-php.php code
<html>
<head>
<title>
You have been registered
</title>
</head>
<body>
<?php

$inResult = 0;
$passed = 0;

function startElement($parser, $name, $attrs)
{
global $inResult;
$inResult = ($name=="RESULT");
}

function endElement($name)
{
global $inResult;
$inResult = 0;
}

function characterData($parer, $data)
{
global $inResult;
global $passed;

            if ($inResult && $data == "Pass")
            {
                            $passed = 1;
            }

}

function ValidateAsirraChallenge()
{
global $passed;

            $AsirraServiceUrl = "http://challenge.asirra.com/cgi/Asirra";
            $ticket = $_GET['Asirra_Ticket'];

            $url = $AsirraServiceUrl."?action=ValidateTicket&ticket=".$ticket;

            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
            $resultXml = curl_exec($ch);
            curl_close($ch);

            $xml_parser = xml_parser_create();
            xml_set_element_handler($xml_parser, "startElement", "endElement");
            xml_set_character_data_handler($xml_parser, "characterData");
            xml_parse($xml_parser, $resultXml, 1);
            xml_parser_free($xml_parser);

            if (!$passed)
            {
                            die("Asirra validation failed!");
            }

}

function main()
{
ValidateAsirraChallenge();

            echo "<p>Welcome, new user ".htmlspecialchars($_GET['UserName'])."!  You are a human!";
            echo "And your favorite color is ".htmlspecialchars($_GET['FavoriteColor']).".";
            echo "<p>Thank you <b>".$_SESSION['reguname']."</b>, your information has been added to the database, "
      ."you may now <a href=\"main.php\">log in</a>.</p>";

}

main();

</body>
</html>