Captchas and <img>

Jon Slaughter

I have a captcha system going and for some reason when I use

<?php

$s = "";
for($i = 0; $i < 10; $i++) { $s = $s.rand(0,9); }
$_SESSION['CaptchaValue'] = $s;
$fn = '/Login/Register/Captcha.php';
echo '<img src="'.$fn.'" alt="Captcha" />';
?>

and Captcha.php uses require_once or include to include some classes that I
use to generate the captcha then it fails(usually get alt showed). But when
I include the classes directly inside the file it works ;/

This is very strange behavior? It really shouldn't matter if I do that,
right? And it is also a security issue because then if they can read the php
I they can get how I generate them.

What I can I do?

captcha.php

<?php

// Captcha classes inserted here but removed for brevity

header("Content-type: image/png");
session_start();
$f = $_SERVER['DOCUMENT_ROOT'].'/Login/Register/';
//require_once($f.'Captcha.php');

$c = new Captcha();

$c->Fonts->Add($f."1.TTF", 0.23, 15, 2, 5, 0, 10, 20);
$c->Fonts->Add($f."2.TTF", 0.5, 15, 2, 5, 0, 10, 20);
$c->Fonts->Add($f."3.TTF", 0.27, 18, 2, 5, 0, 10, 20);
$c->Fonts->Add($f."4.TTF", 0.27, 18, 2, 5, 0, 10, 20);

$s = $_SESSION['CaptchaValue'];
$img = $c->Create($s);

imagepng($img);
imagedestroy($img);

?>

Now I know the require is working or atleast when I debug I can step through
the classes so I'm sure its including it but it acts almost as if I'm not
including it(except I don't get any errors about it).

What ends up happening is either I get the alt showed or I get something
where its like the image is missing(but you get the border for with the X
icon).

Any ideas?

Thanks,
Jon

Jun 8 '07 #1

purcaholic

On 8 Jun., 23:57, "Jon Slaughter" <Jon_Slaugh...@Hotmail.comwrote:

I have a captcha system going and for some reason when I use

<?php

$s = "";
for($i = 0; $i < 10; $i++) { $s = $s.rand(0,9); }
$_SESSION['CaptchaValue'] = $s;
$fn = '/Login/Register/Captcha.php';
echo '<img src="'.$fn.'" alt="Captcha" />';
?>

and Captcha.php uses require_once or include to include some classes that I
use to generate the captcha then it fails(usually get alt showed). But when
I include the classes directly inside the file it works ;/

Needed classes or other files must be included inside Catpcha.php.
First, the client will get an output including 10 html image tags.
After then, the client sends new requests, to get and display the
images. Therefore you must include them inside Captcha.php

This is very strange behavior? It really shouldn't matter if I do that,
right? And it is also a security issue because then if they can read the php
I they can get how I generate them.

Normally it's not possible to "read" PHP files. PHP code will
outputted by the Webserver if you use show_code() or if the Webserver
doesn't know what to to with files having .php format.
An approved way is to source out included files like classes, helper,
etc. outside the web directory. Then, nobody can require these files
directy by using a request.

What I can I do?

captcha.php

<?php

// Captcha classes inserted here but removed for brevity

header("Content-type: image/png");
session_start();

$f = $_SERVER['DOCUMENT_ROOT'].'/Login/Register/';
//require_once($f.'Captcha.php');

$c = new Captcha();

$c->Fonts->Add($f."1.TTF", 0.23, 15, 2, 5, 0, 10, 20);
$c->Fonts->Add($f."2.TTF", 0.5, 15, 2, 5, 0, 10, 20);
$c->Fonts->Add($f."3.TTF", 0.27, 18, 2, 5, 0, 10, 20);
$c->Fonts->Add($f."4.TTF", 0.27, 18, 2, 5, 0, 10, 20);

$s = $_SESSION['CaptchaValue'];
$img = $c->Create($s);

imagepng($img);
imagedestroy($img);

?>

Now I know the require is working or atleast when I debug I can step through
the classes so I'm sure its including it but it acts almost as if I'm not
including it(except I don't get any errors about it).

What ends up happening is either I get the alt showed or I get something
where its like the image is missing(but you get the border for with the X
icon).

Any ideas?

Thanks,
Jon

purcaholic

Jun 9 '07 #2

Jon Slaughter

"purcaholic" <pu********@googlemail.comwrote in message
news:11**********************@p77g2000hsh.googlegr oups.com...

On 8 Jun., 23:57, "Jon Slaughter" <Jon_Slaugh...@Hotmail.comwrote:

>I have a captcha system going and for some reason when I use

<?php

$s = "";
for($i = 0; $i < 10; $i++) { $s = $s.rand(0,9); }
$_SESSION['CaptchaValue'] = $s;
$fn = '/Login/Register/Captcha.php';
echo '<img src="'.$fn.'" alt="Captcha" />';
?>

and Captcha.php uses require_once or include to include some classes that
I
use to generate the captcha then it fails(usually get alt showed). But
when
I include the classes directly inside the file it works ;/

Needed classes or other files must be included inside Catpcha.php.
First, the client will get an output including 10 html image tags.
After then, the client sends new requests, to get and display the
images. Therefore you must include them inside Captcha.php

huh? But require/include should do this? I shouldn't have to manually copy
the classes into the php directly but should be able to use require/include
in any php to include data? The client has nothing to do with this as it
doesn't see php.

>This is very strange behavior? It really shouldn't matter if I do that,
right? And it is also a security issue because then if they can read the
php
I they can get how I generate them.

Normally it's not possible to "read" PHP files. PHP code will
outputted by the Webserver if you use show_code() or if the Webserver
doesn't know what to to with files having .php format.
An approved way is to source out included files like classes, helper,
etc. outside the web directory. Then, nobody can require these files
directy by using a request.

Yes, but what I'm worrieda bout is security. Same reason not to include
password in php files. But as you said... an "approved way" is to source out
include files... yet I cannot do this because when I use require_once it
then doesn't work..

I don't think you fully understand the issue.

Say I have the captcha.php used for the image
//------------------- CASE 1

// class.php
<?php
class CaptchaMods()
{
function modifyimage($img)
{
//.........
}
}
?>

// some php file
<?php

header("content-type: image/png");

//*****************
require_once('class.php);

$c = new CaptchaMods();
$img = imagecreate(100,100);
$img = $c->modifyimage($img);
imagepng($img);
imagedestroy($img);
?>php

The above doesn't work, but this does
//------------------- CASE 2

// some php file
<?php

header("content-type: image/png");

//*****************
class CaptchaMods()
{
function modifyimage($img)
{
//.........
}
}

$c = new CaptchaMods();
$img = imagecreate(100,100);
$img = $c->modifyimage($img);
imagepng($img);
imagedestroy($img);
?>php
--------------

In CASE 2 all I did was copy and paste the class where the require was...
and now it works(well, this is just test code that might not work but is the
idea). This is essentially what require is suppose to do anyways? Only thing
I can think of is that require isn't working but when debugging I was able
to step through the class. Maybe for some reason its not so I'll have to
play around with it to see.
Thanks,
Jon

Jun 9 '07 #3

purcaholic

On 9 Jun., 14:12, "Jon Slaughter" <Jon_Slaugh...@Hotmail.comwrote:

"purcaholic" <purcaho...@googlemail.comwrote in message

news:11**********************@p77g2000hsh.googlegr oups.com...

On 8 Jun., 23:57, "Jon Slaughter" <Jon_Slaugh...@Hotmail.comwrote:

I have a captcha system going and for some reason when I use

<?php

$s = "";
for($i = 0; $i < 10; $i++) { $s = $s.rand(0,9); }
$_SESSION['CaptchaValue'] = $s;
$fn = '/Login/Register/Captcha.php';
echo '<img src="'.$fn.'" alt="Captcha" />';
?>

and Captcha.php uses require_once or include to include some classes that
I
use to generate the captcha then it fails(usually get alt showed). But
when
I include the classes directly inside the file it works ;/

Needed classes or other files must be included inside Catpcha.php.
First, the client will get an output including 10 html image tags.
After then, the client sends new requests, to get and display the
images. Therefore you must include them inside Captcha.php

huh? But require/include should do this? I shouldn't have to manually copy
the classes into the php directly but should be able to use require/include
in any php to include data? The client has nothing to do with this as it
doesn't see php.

This is very strange behavior? It really shouldn't matter if I do that,
right? And it is also a security issue because then if they can read the
php
I they can get how I generate them.

Normally it's not possible to "read" PHP files. PHP code will
outputted by the Webserver if you use show_code() or if the Webserver
doesn't know what to to with files having .php format.
An approved way is to source out included files like classes, helper,
etc. outside the web directory. Then, nobody can require these files
directy by using a request.

Yes, but what I'm worrieda bout is security. Same reason not to include
password in php files. But as you said... an "approved way" is to source out
include files... yet I cannot do this because when I use require_once it
then doesn't work..

I don't think you fully understand the issue.

Say I have the captcha.php used for the image

//------------------- CASE 1

// class.php
<?php
class CaptchaMods()
{
function modifyimage($img)
{
//.........
}}

?>

// some php file
<?php

header("content-type: image/png");

//*****************
require_once('class.php);

$c = new CaptchaMods();
$img = imagecreate(100,100);
$img = $c->modifyimage($img);
imagepng($img);
imagedestroy($img);
?>php

The above doesn't work, but this does

//------------------- CASE 2

// some php file
<?php

header("content-type: image/png");

//*****************
class CaptchaMods()
{
function modifyimage($img)
{
//.........
}

}

$c = new CaptchaMods();
$img = imagecreate(100,100);
$img = $c->modifyimage($img);
imagepng($img);
imagedestroy($img);
?>php

--------------

In CASE 2 all I did was copy and paste the class where the require was...
and now it works(well, this is just test code that might not work but is the
idea). This is essentially what require is suppose to do anyways? Only thing
I can think of is that require isn't working but when debugging I was able
to step through the class. Maybe for some reason its not so I'll have to
play around with it to see.

Thanks,
Jon- Zitierten Text ausblenden -

- Zitierten Text anzeigen -

Either the include path, where youre class besides, isn't in php
include_path setting, or included file has an white space, which will
be also send to the client. Check your'e captcha class for white space
characters before "<?php" or after ">?".

You wrote, that you could step to the class while debugging, therefore
i suppose an additional send character after header("content-type:
image/png"); causes the issue.
purcaholic

Jun 9 '07 #4

Jon Slaughter

"purcaholic" <pu********@googlemail.comwrote in message
news:11*********************@p47g2000hsd.googlegro ups.com...

On 9 Jun., 14:12, "Jon Slaughter" <Jon_Slaugh...@Hotmail.comwrote:

>"purcaholic" <purcaho...@googlemail.comwrote in message

news:11**********************@p77g2000hsh.googleg roups.com...

On 8 Jun., 23:57, "Jon Slaughter" <Jon_Slaugh...@Hotmail.comwrote:
I have a captcha system going and for some reason when I use

><?php

>$s = "";
for($i = 0; $i < 10; $i++) { $s = $s.rand(0,9); }
$_SESSION['CaptchaValue'] = $s;
$fn = '/Login/Register/Captcha.php';
echo '<img src="'.$fn.'" alt="Captcha" />';
?>

>and Captcha.php uses require_once or include to include some classes
that
I
use to generate the captcha then it fails(usually get alt showed).
But
when
I include the classes directly inside the file it works ;/
Needed classes or other files must be included inside Catpcha.php.
First, the client will get an output including 10 html image tags.
After then, the client sends new requests, to get and display the
images. Therefore you must include them inside Captcha.php

huh? But require/include should do this? I shouldn't have to manually
copy
the classes into the php directly but should be able to use
require/include
in any php to include data? The client has nothing to do with this as it
doesn't see php.

>This is very strange behavior? It really shouldn't matter if I do
that,
right? And it is also a security issue because then if they can read
the
php
I they can get how I generate them.
Normally it's not possible to "read" PHP files. PHP code will
outputted by the Webserver if you use show_code() or if the Webserver
doesn't know what to to with files having .php format.
An approved way is to source out included files like classes, helper,
etc. outside the web directory. Then, nobody can require these files
directy by using a request.

Yes, but what I'm worrieda bout is security. Same reason not to include
password in php files. But as you said... an "approved way" is to source
out
include files... yet I cannot do this because when I use require_once it
then doesn't work..

I don't think you fully understand the issue.

Say I have the captcha.php used for the image

//------------------- CASE 1

// class.php
<?php
class CaptchaMods()
{
function modifyimage($img)
{
//.........
}}

?>

// some php file
<?php

header("content-type: image/png");

//*****************
require_once('class.php);

$c = new CaptchaMods();
$img = imagecreate(100,100);
$img = $c->modifyimage($img);
imagepng($img);
imagedestroy($img);
?>php

The above doesn't work, but this does

//------------------- CASE 2

// some php file
<?php

header("content-type: image/png");

//*****************
class CaptchaMods()
{
function modifyimage($img)
{
//.........
}

}

$c = new CaptchaMods();
$img = imagecreate(100,100);
$img = $c->modifyimage($img);
imagepng($img);
imagedestroy($img);
?>php

--------------

In CASE 2 all I did was copy and paste the class where the require was...
and now it works(well, this is just test code that might not work but is
the
idea). This is essentially what require is suppose to do anyways? Only
thing
I can think of is that require isn't working but when debugging I was
able
to step through the class. Maybe for some reason its not so I'll have to
play around with it to see.

Thanks,
Jon- Zitierten Text ausblenden -

- Zitierten Text anzeigen -

Either the include path, where youre class besides, isn't in php
include_path setting, or included file has an white space, which will
be also send to the client. Check your'e captcha class for white space
characters before "<?php" or after ">?".

You wrote, that you could step to the class while debugging, therefore
i suppose an additional send character after header("content-type:
image/png"); causes the issue.

Seems to be working now. I just copyed the file and removes the non class
code in one and the class code in the other and then added the require. You
might have been right about the extra spaces... maybe before or after the
php code. I didn't think about that but thats probably the case cause it was
saying the image was invalid(atleast in firefox) so chances are some spaces
were getting inserted.

Thanks,
Jon

Jun 9 '07 #5