Home > Backend Development > PHP Tutorial > How to deal with the verification code being bypassed_PHP tutorial

How to deal with the verification code being bypassed_PHP tutorial

WBOY
Release: 2016-07-13 10:53:59
Original
1617 people have browsed it

Let’s first analyze the process of issuing verification codes
1. Display form
2. Display the verification code (use a program to generate the verification code), encrypt the verification code and put it into session or cookie
3. User submits the form
4. Check that the verification code is correct and the data is legal. The tutorial on writing to the database is completed

If the user posts another one, under normal circumstances, he will visit the form page again, the verification code image will be passively updated, and the session and cookie will also change accordingly
However, the operation of the water filling machine does not necessarily require the use of a form page. It can directly simulate a post to send data to the server program; in this way, the verification code program is not called. Of course, the encrypted verification code stored in the session and cookie is the last value, so there is no Update, so that data can be sent directly through post unlimited times in the future, regardless of the verification code, which is useless!

So, after checking the verification code, first clear the session and cookie values, then make a judgment on the validity of the data, and then store it in the database!
In this way, a loophole has been closed!

if ( md5($_post['vcode']) == $_session['vcode'] ) {
$_session['vcode']='';//This sentence is very important
} else {
exit 'The verification code is incorrect! ';
}
//Next processing
......
?>

A program to generate verification code images

session_start();
......
$v = new authcode();
$vcode = $v->getauthcode();
$_session['vcode'] = md5($vcode );
........
?>

Form page


......
Please refresh the page if you cannot see clearly


How the verification code is bypassed

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/632363.htmlTechArticleLet’s first analyze the verification code release process 1, display form 2, and display the verification code (bar Program to generate verification code), encrypt the verification code and put it into session or cookie 3,...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template