13
Mamba and barryc,
Have you checked what happens when a user fails to complete the captcha phrase on a form? As far as I can tell xForms will send the form regardless of the captcha element. See this thread for more discussion.
Rob
Have you checked what happens when a user fails to complete the captcha phrase on a form? As far as I can tell xForms will send the form regardless of the captcha element. See this thread for more discussion.
Rob
14
Thanks. That's a different version of xForms than the one I found searching this forum. Perhaps I'm going blind but I still can't find any code to authenticate the captcha element. All I see is the element included on the form.
15
Depends on your platform but I use the Firebug add-on to Firefox to trace stylesheet issues. HTH.
16
Thanks for the tip regards xForms. I've been away from XOOPS for a long time so simply went with what I've used before. I just downloaded xForms from here and installed it on my test site. Captcha is displayed on the form alright but there is no code in form_execute.php to check whether the key entered is correct. The form succeeds regardless of the captcha element. The code in form_render.php is close to what I came up with.
I don't speak German so perhaps the link was a development version. I couldn't find xForms in the module repository.
licence.txt points tohttp://www.dylian.melgert.net/ but I can't find a copy of xForms there either. Again that could be my lack of language skills.
I prefer main trunk modules in active development to (potentially) version specific clones. Only exception is where the necessary hacks are significant.
I don't speak German so perhaps the link was a development version. I couldn't find xForms in the module repository.
licence.txt points tohttp://www.dylian.melgert.net/ but I can't find a copy of xForms there either. Again that could be my lack of language skills.
I prefer main trunk modules in active development to (potentially) version specific clones. Only exception is where the necessary hacks are significant.
18
Xoops Version: 2.4.1
Liaise Version: 1.5
Only tested with the above versions.
Captcha is built into XOOPS 2.4.1 so only two small changes required in Liaise form handlers. I've set it up so that only anonymous users will be prompted for the captcha security code. Logged in users will not see it.
Future development: Enable per-form disabling of the captcha security code. For now it appears on all forms for anonymous users.
One known bug: Errors on the form including captcha errors are handled properly and redirected back to the form for correction. The captcha security code must be re-entered even though the captcha code may have been correct and still appears to match.
All comments welcome.
Rob
modules/liaise/include/form_render.php following line 57
modules/liaise/include/form_execute.php following line 58
Liaise Version: 1.5
Only tested with the above versions.
Captcha is built into XOOPS 2.4.1 so only two small changes required in Liaise form handlers. I've set it up so that only anonymous users will be prompted for the captcha security code. Logged in users will not see it.
Future development: Enable per-form disabling of the captcha security code. For now it appears on all forms for anonymous users.
One known bug: Errors on the form including captcha errors are handled properly and redirected back to the form for correction. The captcha security code must be re-entered even though the captcha code may have been correct and still appears to match.
All comments welcome.
Rob
modules/liaise/include/form_render.php following line 57
$form_output->addElement(new XoopsFormHidden('form_id', $form->getVar('form_id')));
# Captcha Security Hack by Rob Stockley ------------------------------------
xoops_load("XoopsFormCaptcha");
if( !is_object($GLOBALS['xoopsUser'])) {
$form_output->addElement(new XoopsFormCaptcha(), true);
}
# Captcha Security Hack by Rob Stockley ------------------------------------
$form_output->addElement(new XoopsFormButton('', 'submit', $form->getVar('form_submit_text'), 'submit'));
modules/liaise/include/form_execute.php following line 58
if( isset($_POST['xoops_upload_file']) && is_array($_POST['xoops_upload_file']) ){
foreach( $_POST['xoops_upload_file'] as $k => $v ){
$n = explode("_", $v);
$ele[$n[1]] = $v;
}
}
# Captcha Security Hack by Rob Stockley ------------------------------------
xoops_load("captcha");
$xoopsCaptcha = XoopsCaptcha::getInstance();
if (!$xoopsCaptcha->verify()) {
$err[] = $xoopsCaptcha->getMessage();
}
# Captcha Security Hack by Rob Stockley ------------------------------------
foreach( $elements as $i ){
$ele_id = $i->getVar('ele_id');
$ele_type = $i->getVar('ele_type');
19
Finally got around to doing something about this on my site. I decided that it was not worth coding this but rather simply describing the process.
I untarred the latest site backup on my laptop, openned a console and changed to the root folder of the website. I then issued the following command.
All the files containing a reference to register.php are listed along the left margin (highlighted in green) together with the context.
Next I renamed the backup copy of register.php to something unintelligible such as wqropihshbgas.php. I then used a plain editor to update the change in the backups of the files identified above.
I also pasted the output of grep into a plain text file and stored that in the folder below the webroot. That way I have a backup copy of the changes I've made.
Lastly I uploaded the updated files overwriting the originals and deleted the old register.php.
It worked a treat and now protector is reporting zero spam attempts on register.php.
Pretty basic but I hope this helps someone.
Rob
I untarred the latest site backup on my laptop, openned a console and changed to the root folder of the website. I then issued the following command.
rob@mowglilaptop:~/public_html$ [color=ff0000]grep -r register.php *[/color]
[color=00ff00]include/registerform.php:[/color]$reg_form = new XoopsThemeForm(_US_USERREG, "userinfo", "register.php", "post", true);
[color=00ff00]language/english/user.php:[/color]define('_US_NOTREGISTERED','Not registered? Click <a href="register.php">here</a>.');
[color=00ff00]language/english/user.php:[/color]//%%%%%% File Name register.php %%%%%
[color=00ff00]modules/system/templates/blocks/system_block_login.html:[/color]<a href="<{$xoops_url}>/register.php"><{$block.lang_registernow}></a>
[color=00ff00]pmlite.php:[/color] echo _PM_SORRY."<br /><br /><a href='".XOOPS_URL."/register.php'>"._PM_REGISTERNOW."</a>.";
[color=00ff00]register.php:[/color]// $Id: register.php 2 2005-11-02 18:23:29Z skalpa $
[color=00ff00]register.php:[/color] echo "<form action='register.php' method='post'>
[color=00ff00]themes/wfly_theme/theme.html:[/color] <a href="<{$xoops_url}>/user.php">LOGIN</a> <a href="<{$xoops_url}>/register.php">REGISTER</a>
rob@mowglilaptop:~/public_html$
All the files containing a reference to register.php are listed along the left margin (highlighted in green) together with the context.
Next I renamed the backup copy of register.php to something unintelligible such as wqropihshbgas.php. I then used a plain editor to update the change in the backups of the files identified above.
I also pasted the output of grep into a plain text file and stored that in the folder below the webroot. That way I have a backup copy of the changes I've made.
Lastly I uploaded the updated files overwriting the originals and deleted the old register.php.
It worked a treat and now protector is reporting zero spam attempts on register.php.
Pretty basic but I hope this helps someone.
Rob
20
I was reading this thread and was wondering if anyone, like me, was thinking that renaming register.php could be automated?
Thinking aloud here....
On my site there are six places where I'd need to change the reference, 5 php and one template. If I were to save the name of register.php as a configuration option, load it into a global variable and replace these six instances with a reference to that variable, then I could have an admin function that generated a random filename, copied the current register.php into that file, updated the config option then deleted the old copy of register.php.
Perhaps this could be made into a small module so you could repeat the process after any core update took place.
Sounds simple enough but with two under two years I may not get the chance to do it before someone else has a crack.
Huh? What's that? Sounds like someone needs winding again ....
Thinking aloud here....
On my site there are six places where I'd need to change the reference, 5 php and one template. If I were to save the name of register.php as a configuration option, load it into a global variable and replace these six instances with a reference to that variable, then I could have an admin function that generated a random filename, copied the current register.php into that file, updated the config option then deleted the old copy of register.php.
Perhaps this could be made into a small module so you could repeat the process after any core update took place.
Sounds simple enough but with two under two years I may not get the chance to do it before someone else has a crack.
Huh? What's that? Sounds like someone needs winding again ....
Login
Search
Recent Posts
Who's Online
Donat-O-Meter
| Stats | |
| Goal: | $100.00 |
| Due Date: | May 31 |
| Gross Amount: | $0.00 |
| Net Balance: | $0.00 |
| Left to go: | $100.00 |
 |
|