这种评论形式验证是否安全?

时间:2016-01-25 07:06:53

标签: javascript php jquery wordpress forms

我想在wordpress文章评论的评论表单中添加验证,但我找不到更改提交表单的方法(以便我可以在评论帖子提交时验证它)。我找到了plugin,为用户登录添加了验证码,所以我接受了,并将其添加到我的评论表单中。

我基本上只将短代码添加到我的评论表单

function mytheme_image_captcha( $args ){

    // Adds an argument to the shortcode to record the type of form (Contact us, Request a Visit, Refer a Friend...) - [fuel-spam-guard form="Contact Us"]
    extract( shortcode_atts( array( 'form' => '' ), $args ) );

    // Create an array to hold the image library
    $captchas = array(
        esc_html__( 'Heart', 'mytheme') => "fa-heart",
        esc_html__( 'House', 'mytheme') => "fa-home",
        esc_html__( 'Star', 'mytheme')  => "fa-star",
        esc_html__( 'Car', 'mytheme')   => "fa-car",
        esc_html__( 'Cup', 'mytheme')   => "fa-coffee",
        esc_html__( 'Flag', 'mytheme')  => "fa-flag",
        esc_html__( 'Key', 'mytheme')   => "fa-key",
        esc_html__( 'Truck', 'mytheme') => "fa-truck",
        esc_html__( 'Tree', 'mytheme')  => "fa-tree",
        esc_html__( 'Plane', 'mytheme') => "fa-plane"
    );

    $choice = array_rand( $captchas, 3);
    foreach($choice as $key) {
        $choices[$key] = $captchas[$key];
    }

    // Pick a number between 0-2 and use it to determine which array item will be used as the answer
    $human = rand(0,2);

    ob_start(); ?>

        <div class="captcha-image">

            <p><?php _e('Please prove you are human by selecting the', 'mytheme'); ?> <span><?php echo $choice[$human]; ?></span> <?php esc_html_e('.', 'mytheme'); ?></p>

            <?php
            $i = -1;
            foreach($choices as $title => $image) {
                $i++;
                if($i == $human) { $value = "tn_human"; } else { $value = "bot"; };
                echo  '<label><input type="radio" name="tn_captcha" value="'. $value .'"/><i class="fa '. $image .'"></i></label>';
            }
            ?>

        </div>
        <div style="display:none">
            <input type="text" name="tn_honeypot">
            <input type="hidden" name="FormType" value="<?php echo $form ?>"/>
            <input type="hidden" name="wplicic_exists" value="true"/>
        </div>

    <?php    // more code
    $result = ob_get_contents(); // get everything in to $result variable
    ob_end_clean();
    return $result;
}

add_shortcode('contact_captcha', 'mytheme_image_captcha');

循环您需要选择的输入字段中的图像和单词。评论表是这样的:

<?php

    $commenter = wp_get_current_commenter();
    $req = get_option( 'require_name' );
    $aria_req = ( $req ? " aria-required='true'" : '' );

    $fields =  array(
      'author' =>
        '<div class="comment_fields"><p class="comment-form-author"><input id="author" name="author" type="text" placeholder="' . esc_html__( 'Name', 'mytheme' ) . '" value="' . esc_attr( $commenter['comment_author'] ) .
        '" size="30"' . $aria_req . ' /></p></div>',
        'captcha' => (!is_user_logged_in()) ? do_shortcode('[contact_captcha]') : '',

    );

    $comment_field = '<p class="comment-form-comment"><textarea id="comment" name="comment" placeholder="' . esc_html__( 'Your Comment', 'mytheme' ) . '" cols="45" rows="6" aria-required="true"></textarea></p>';

    comment_form(array(
        'fields'                => $fields,
        'comment_field'         => $comment_field,
        'comment_notes_after'   => '',
        'id_submit'             => 'comment-submit',
        'title_reply'           => esc_html__( 'Leave a comment', 'mytheme' ),
        'title_reply_to'        => esc_html__( 'Leave a reply to %s.', 'mytheme' ),
        'cancel_reply_link'     => esc_html__( 'Cancel reply', 'mytheme' ),
        'label_submit'          => esc_html__( 'Submit', 'mytheme' ),
        'comment_notes_before'  => ''
    )); ?>

仅当用户未登录时才会显示验证码(我假设登录的用户不是机器人)。

因为我找不到覆盖表单提交的$_POST的方法,所以我添加了一个小而简单的js代码,它将禁用post按钮,除非你点击正确的。它的工作原理

/*Comment Validation*/

if ($('#comments').length) {
    $('#comments').find('input[type="submit"]').attr('disabled', 'disabled');
    $('.captcha-image input[type="radio"]').on('click', function(){
        if ( $(this).is(':checked') && $(this).val() == 'tn_human' ){
            $('#comments').find('input[type="submit"]').removeAttr('disabled');
        } else{
            $('#comments').find('input[type="submit"]').attr('disabled', 'disabled');
        }
    });
}

现在我的问题是:这有多安全?

这可以防止机器人发表评论吗?

我有一种感觉,这不是验证wordpress评论的简单方法。

我找到了一个有效的验证码插件,但它有一个基于类型的验证码(3 + __ = 7类型的capthca),客户端要求基于图像点击的验证码,我找不到一个免费的致力于评论。

任何有关安全的建议都是有帮助的。

1 个答案:

答案 0 :(得分:0)

此类场景的最佳做法是使用PHP库将captcha插入到表单中。这是最好的做法,因为您不必抓住整个插件只是为了使用其短代码进行验证码。

我最近使用了Secureimage,它的运行方式与我想要的完全相同。

您必须插入HTML元素才能输入:

<input class="membership-form" type="text" name="captcha_code" size="10" maxlength="6" required>

<img style="margin-left: 34%;margin-top: 1%;" id="captcha" src="http://darpe.me/wp/wp-content/plugins/custom-register/securimage/securimage_show.php" alt="CAPTCHA Image" />

<a href="#" onclick="document.getElementById('captcha').src = 'http://darpe.me/wp/wp-content/plugins/custom-register/securimage/securimage_show.php?' + Math.random(); return false">[ Different Image ]</a>

接下来,在提交检查页面中,您将添加以下内容:

include_once $_SERVER['DOCUMENT_ROOT'] . '/wp/wp-content/plugins/YOUR-PLUGIN-PATH/securimage/securimage.php';

if (!is_wp_error($errors))  $errors = new WP_Error;
$securimage = new Securimage();

if ($securimage->check($_POST['captcha_code']) == false) {
    // the code was incorrect
    // you should handle the error so that the form processor doesn't continue

    // or you can use the following code if there is no validation or you do not know how
    $errors->add('chaptcha_error', 'The security code entered was incorrect. Please try again!');
}