If conditional being ignored?!?!?

[jc0351]

Hello everybody,

I have been working on a commenting script w/ a simple CAPTCHA from this website: http://www.zubrag.com/scripts/antispam- ... erator.php

My website, I'm just a hobbyist that enjoys the technical challenge, is http://www.bigwhitefish.com/

(Both the blog and individual photos will allow you to comment if you want to test it. I've left the alert code in there for now so you can see what I'm talking about in the rest of this inquiry. Please keep reading.)

It's great as it's a small script and it works wonderfully for me.... The problem is that on the two other computers I've tested it on, it has not worked. The script creates a random 6 digit number then uses some imagecreate functions to create the CAPTCHA image. After that it assigns the same 6 digit code to the

Code: Select all

$_SESSION['AntiSpamImage']

variable. When the user submits the form it is supposed to send via

Code: Select all

$_POST

all the information to add_comment.php where is checks the

Code: Select all

$_SESSION['AntiSpamImage']

code against the user supplied code

Code: Select all

$_POST['anti_spam_code']

(a standard text input name=anti_spam_code).

What seems to be happening is that the very first conditional session['AntiSpamImage'] != post['anti_spam_code'] is ignored and the session variable is randomized before the users input and the original value of session['AntiSpamImage'] can be compared. This results in the alert window that pops up and tells you both the user input and the session variable. On their computers it shows the user input as what they entered, but the session variable has already been randomized (you can tell because AFTER the fail or success of the conditional it assigns the session variable a 7 digit random number instead of the 6 that the script works off of.)

I have none of these issues. It works flawlessly for me so I have no idea where to start trying to fix it... Any insight into this would be greatly appreciated. I'm gonna keep trying on my own as well, but I gotta say that I am stumped! Bah the love and hate of web design. I will also post all of the three files that interact to make this happen if you are willing to help. Pretty please

Code: Select all

if ($_SESSION['AntiSpamImage'] != $_POST['anti_spam_code']) {
   
    // set antispam string to something random, in order to avoid reusing it once again

    echo "<script>alert('Incorrect answer. User input: " . $_POST['anti_spam_code'] .
         " Answer: " . $_SESSION['AntiSpamImage'] . "')</script>";
   
    $_SESSION['AntiSpamImage'] = rand(1,9999999);

    // here you add code to let user know incorrect code entered

    echo "<script>history.go(-1)</script>";
   
} else {
   
    // set antispam string to something random, in order to avoid reusing it once again

    $_SESSION['AntiSpamImage'] = rand(1,9999999);

    // everything is fine, proceed with processing feedback/comment/etc.   


[jc0351]

Ok, so I've tried a few different things and had some odd results. For these tests the computers and software are as follows:

My computer: Intel based MacBook Pro running OS X 10.6.8 - Safari 5.1.7 - FireFox 15.0.1

My sister's computer: Intel based MacBook Pro running OS X 10.8.1 - Safari 6.0 - FireFox 14.0.1

For my computer I can post comments like I should be able to in both Safari and Firefox (I don't have IE to test my sites on so I'm sure they will explode if viewed with IE). When I do NOT enter the CAPTCHA code the pop up tells me the correct answer which is the same as the image that is display in the form - everything works.

On my sister's computer in Safari if you type in the comment and the code the pop up tells you the code you typed in which is the same as the image in the form, but the correct answer that it displays is a completely different 7 digit number (this should occur AFTER the pop up window so I have no idea how its getting the new value to display). If you submit the form WITHOUT the CAPTCHA the pop up displays another random 7 digit number as the correct answer - not the 6 digit number that is displayed in the image on the form.

On my sister's computer in FireFox when you enter the comment and the CAPTCHA code the pop up gives you the user input as exactly what you typed in and exactly whats in the image in the form and the supposed correct answer as another random 7 digit number. For example I just tried to submit a comment with this user input: 382959 which was what was displayed in the image. The pop up reflected my input but said the correct answer was: 1460555. When I run FireFox on her comp and submit a comment WITHOUT entering the CAPTCHA code the popup again tells me that my input does not match a new random 7 digit number.

So, I guess I have a few things that are confusing me.

1) Why isn't the conditional working?
The $_SESSION variable is being set at least at the point after the conditional fails. The session variable is how the pop up gets the "correct answer" content. This means that the session variable is holding information. I can also do this on either computer with the exact same results logged in or logged out and almost all of my pages have the session_start in them and yes the affected scripts have been checked and re-checked. I don't understand how the conditional fails because the code that is sent to the session variable initially stored and not touched until the conditional runs - there isn't another step...

2) Is the $_SESSION variable having issues?
The only other thing I can think of is that the session variable isn't holding the initial input given to it by the antispam.php script that I will post at the end of these questions. If this is the case I still do not understand why it works flawlessly on my computer and the above problems happen on my sisters computer. Is there anyway to investigate this further or ? I am stumped.

Here is the antispam.php code from the website I link in the first post:

Code: Select all

<?php
###############################################################
# Anti-spam Image Generator (CAPTCHA) 1.0
###############################################################
# For updates visit http://www.zubrag.com/scripts/
###############################################################

// Font name to use. Make sure it is available on the server.
// You could upload it to the same folder with script if it cannot find font.
// By default it uses arial.ttf font.
$font = 'Espar_Arial_Classic.ttf';

// list possible characters to include on the CAPTCHA
$charset = '0123456789';

// how many characters include in the CAPTCHA
$code_length = 6;

// antispam image height
$height = 20;

// antispam image width
$width = 80;

############################################################
#  END OF SETTINGS
############################################################

// this will start session if not started yet
@session_start();

$code = '';
for($i=0; $i < $code_length; $i++) {
  $code = $code . substr($charset, mt_rand(0, strlen($charset) - 1), 1);
}

$font_size = $height * 0.7;
$image = @imagecreate($width, $height);
$background_color = @imagecolorallocate($image, 255, 255, 255);
$noise_color = @imagecolorallocate($image, 161, 137, 99);

/* add image noise */
for($i=0; $i < ($width * $height) / 4; $i++) {
  @imageellipse($image, mt_rand(0,$width), mt_rand(0,$height), 1, 1, $noise_color);
}
/* render text */
$text_color = @imagecolorallocate($image, 161, 137, 99);
@imagettftext($image, $font_size, 0, 7,17,
              $text_color, $font , $code)
  or die('Cannot render TTF text.');

/* output image to the browser */
header('Content-Type: image/png');
@imagepng($image) or die('imagepng error!');
@imagedestroy($image);
$_SESSION['AntiSpamImage'] = $code;
exit();
?>


-EDIT-

And here is my form code:

Code: Select all

$comment_form = '<div class="comment" style="margin-top:20px;">
                  <form id="comment_form" action="add_comment.php" method="post">
                  <fieldset>
                  <legend>Add Comment</legend>
                  <table style="width:100%;">
                  <tr>
                  <td valign="top">
                  <textarea name="cbody" rows="10" cols="38"></textarea>
                  </td>
                  <td valign="top" style="width:90px;">
                  <strong>
                  <input type="text" name="poster_name" size="13" maxlength="50" value="name(optional)" />
                  <br />
                  <input type="text" size="13" maxlength="80" name="email" value="email(optional)" />
                  <br />
                  <img src="http://www.bigwhitefish.com/antispam.php">
                  <br />
                  <input name="anti_spam_code" type="text" size="13" value="Enter Code!" />
                  </strong>
                  <br />
                  <br />
                  <center>
                  <input type="image" name="submit" src="images/comment-add.png" width="30" alt="Add" />
                  </center>
                  </td>
                  </tr>
                  </table>
                  <input type="hidden" name="imgid" value="' . $image_id . '" />
                  <input type="hidden" name="mode" value="img_comm" />
                  <input type="hidden" name="submitted" value="true" />
                  </fieldset>
                  </form>
                  </div>
                  <div style="text-align:left; width:66%; clear:both; color:#CCC;">
                  <b>All Comments:</b>
                  <hr style="border:1px solid #CCC;" />
                  </div>
                  </center>';


This is for the image comment form, but the blog comment form is identical except with appropriate variable name changes - which have all been checked...

Any thoughts?