captcha stopped working.

ugurpc

Hi, i have a form with a captcha

it was working till next week for months.
But now it stopped working.

this same form still works well in one server.
But stopped working in another server and after submit the form it says Invalid Captcha String. even we enter the captcha code correctly.

I use captcha codes from that link

I looked phpinfo at both servers gd and free type libraries are enabled.

I dont know what else can i check.

any comments please ?

ugurpc

i give below the code of processor.php where it is related with this captcha error :

proccessor.php :

<?php
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
session_start();
if( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) ) { 
// File upload handling
if($_FILES['field_4']['name']!=''){
$field_4_filename = "file_4_".date("sihdmY").substr($_FILES['field_4']['name'],strlen($_FILES['field_4']['name'])-4);
if(!move_uploaded_file($_FILES['field_4']['tmp_name'], "./../archive/".$field_4_filename)){
die("File " .  $_FILES['field_4']['name'] . " was not uploaded.");
}
}

include("config.inc.php");
$link = mysql_connect($db_host,$db_user,$db_pass);
if(!$link) die ('Could not connect to database: '.mysql_error());
mysql_select_db($db_name,$link);
$query = "INSERT into `".$db_table."` (field_1,field_2,field_3,field_4) VALUES ('" . $_POST['field_1'] . "','" . $_POST['field_2'] . "','" . $_POST['field_3'] . "','".$where_form_is."../archive/".$field_4_filename."')";
mysql_query($query);
mysql_close($link);

mail(" THERE ARE SOME CODES HERE")

include("confirm.html");
}
else {
echo "Invalid Captcha String.";
}

?>

i am thinking the problem is about something with how the host handles sessions.
BECAUSE these codes work in a server but it stopped to working in another server.

can anybody help ?

dagon

echo the session var, see it its set.

djjjozsi

another server may has different settings. The temporary folder is writable?

However captcha is useful your insert codes vulnerable from SQL attacks!

ugurpc

i think the other server that doesnt work now (worked for months till next week..) made some changes thats why now it doesnt work. i think that.

you say that captcha is vulnerable for sql attacts, then what do you offer instead of captcha ?

Weedpacket

ugurpc wrote:
you say that captcha is vulnerable for sql attacts, then what do you offer instead of captcha ?

What djjjozsi means is that even with captcha your code is still vulnerable. (You embed user-supplied data directly into SQL statements without sanitising it first. PHP's description of the [font=monospace]query[/font] parameter on its [man]mysql_query[/man] page warns about this.)