Question

这是我的脚本，用于检查填写的字段：

foreach($_POST as $key => $value){
    //required fields
    if(in_array($key, $required_fields) && empty($value) && $all_required_filled){
        $error_message .= "<li>Not all required fields were filled out</li>"; 
        $valid = false;
        $all_required_filled = false;
    }
    //valid email address
    if($key == 'email'){
        if (!filter_var($value, FILTER_VALIDATE_EMAIL)) {
            $error_message .= "<li>Invalid email format</li>";
            $valid = false; 
        }
    }
    //captcha is valid
    if($key == "captcha"){
        if((int)$value !== (int)$_SESSION['veriword']){
            $error_message .= "<li>The captcha was incorrect</li>";
            $valid = false;
        }
        else{
            $message .= "User entered {$value}. Correct answer was {$_SESSION['veriword']}";
        }
        continue;
    } 
}

基本上，如果验证码表单字段与验证码插件设置的会话变量匹配，则脚本会在电子邮件中打印一行，列出用户输入的内容以及正确的值。

当我错误地填写验证码时，我无法发送表单，并在页面上卡住并显示错误消息。但不知何故，垃圾邮件机器人正在成功发送表单，而没有列出表单字段和验证码值的行。所以它完全绕过“if”声明，不知何故？我不确定发生了什么......

Answer 1

而不是循环$_POST，而是明确检查所需的输入：

if (isset($_POST['captcha'])) {
    if (intval($_POST['captcha']) !== $_SESSION['veriword']) {
        $error_message .= "<li>The captcha was incorrect</li>";
        $valid = false;
    }
} else {
    $error_message .= "<li>The captcha was not submitted</li>";
    $valid = false;
}

我的验证码是如何被机器人绕过的？

1 个答案: