zf2 captcha验证安全问题

时间:2014-11-11 05:36:58

标签: php zend-framework zend-framework2 captcha

我在表格中使用zf2验证码: 在控制器中:

public function loginAction() {
        $loginForm = new LoginForm ( );
        if ($this->getRequest ()->isPost ()) {
            $postedValues = $this->getRequest ()->getPost ();
            $loginForm->setData ( $postedValues );
            if ($loginForm->isValid ()) {
                echo 'valid';

            } else {
                echo 'invalid';
            }
        } 
    }
    $view ['loginForm'] = $loginForm;
    return new ViewModel ( $view );
}

在我的loginForm中我有:

public function __construct($adapter) {
    parent::__construct ();
    $this->setAttribute ( 'method', 'post' );
    $this->setAttribute ( 'name', 'loginForm' );
    $inputFilter = new InputFilter ();
    $factory = new Factory ();
    $captchaImage = new CaptchaImage(  array(
            'font' => dirname(__DIR__).'/../../../../public/fonts/arial.ttf',
            'width' => 150,
            'height' => 75,
            'dotNoiseLevel' => 40,
            'lineNoiseLevel' => 3 ,
            'wordLen' => 5
        )
    );
    $this->add(array(
        'type' => 'Zend\Form\Element\Captcha',
        'name' => 'captcha',
        'options' => array(
            'label' => 'Security Question',
            'captcha' => $captchaImage,
        ),
    ));
    $submit = new Element\Submit ( 'submit' );
    $submit->setValue ( _ ( 'Login' ) )->setAttributes ( array (
            'id' => 'submitbutton',
            'class' => 'btn btn-default' 
    ) );
    $this->add ( $submit );
    }

并在我的phtml文件中:

if(isset($this->loginForm)){    
    $form = $this->loginForm;
    $form->prepare();
    var_dump($form->getMessages());
echo $this->form()->openTag($form);
    ?>
<div class="col-md-6">
        <?php 
        foreach ($form as $element) {

            echo '<div class="form-group">
                <label class="control-label">
                    '.
                    _($element->getLabel()).
                '</label>'
                    .$this->formElement($element).
                    '
                </div>';
        }
        ?> 
</div>
<?php 
    echo $this->form()->closeTag(); 
}

我的问题是,当我提交表单时,一切都很完美。 isValid函数执行它所拥有的功能并正确验证验证码。但是,当我通过浏览器刷新按钮重新发送相同的信息时,isValid函数再次返回true,这是不可接受的,因为图像已更改。似乎旧的验证码对zf2仍然有效,这是不正确的,并且存在安全问题,让黑客很容易绕过它。我在这里错过了什么吗?

0 个答案:

没有答案