Php 为什么我的recaptcha regester表单被垃圾邮件攻击?
以下是表单的URL: 我似乎从这个表单中得到了大约20-30个机器生成的帐户。我不知道机器人程序是如何通过的,因为我对它进行了无数次测试,看它是否能够在没有输入正确的recaptcha的情况下通过,但当我尝试时,它似乎正确地拒绝了使用空白或错误的recaptcha创建帐户的尝试 所以我不知道如何阻止垃圾邮件帐户被创建。也许我的公钥被泄露了?从我在垃圾邮件创建的帐户中看到的模式来看,似乎有多个源创建它们 如果有必要,以下是表单发布到的Php 为什么我的recaptcha regester表单被垃圾邮件攻击?,php,html,forms,recaptcha,Php,Html,Forms,Recaptcha,以下是表单的URL: 我似乎从这个表单中得到了大约20-30个机器生成的帐户。我不知道机器人程序是如何通过的,因为我对它进行了无数次测试,看它是否能够在没有输入正确的recaptcha的情况下通过,但当我尝试时,它似乎正确地拒绝了使用空白或错误的recaptcha创建帐户的尝试 所以我不知道如何阻止垃圾邮件帐户被创建。也许我的公钥被泄露了?从我在垃圾邮件创建的帐户中看到的模式来看,似乎有多个源创建它们 如果有必要,以下是表单发布到的doregister.php页面中的代码: <html&g
doregister.php
页面中的代码:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head>
<body>Please wait...
<?
session_start();
include 'functions.php';
function check_email_address($email) {
// First, we check that there's one @ symbol,
// and that the lengths are right.
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters
// in one section or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if
(!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&
?'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i])) {
return false;
}
}
// Check if domain is IP. If not,
// it should be valid domain name
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) {
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if
(!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|
?([A-Za-z0-9]+))$",
$domain_array[$i])) {
return false;
}
}
}
return true;
}
//------------------------------------------------------------------------checkrecaptcha
require_once('recaptchalib.php');
$privatekey = "CENSORED";
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
$_SESSION['msg2'] = "The reCAPTCHA wasn't entered correctly. Please try it again";
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/register"> <?
die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
"(reCAPTCHA said: " . $resp->error . ")");
}
else{
// Your code here to handle a successful verification
//----------------------------------------------------------------------------------------------
//----------------------------------------uthenticating submied fields---------------------------
//--------------------------------------------check passwords match--------------------------------------------------
if ($_POST['password'] != $_POST['repeat'])
{
$_SESSION['msg2'] = "passwords dont match";
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/login"> <?exit();
}
else
{
$password = $_POST['password'];
}//--------------------------------------------check passwords match----END----------------------------------------------
if ($_POST['email'])//-------------------------check email was submited--------------------------------------------------
{
if(!check_email_address($_POST['email']))
{
$_SESSION['msg2'] = "(".$_POST['email'].") is not a valid email";
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/login"> <?exit();
}
$email = $_POST['email'];
}
else
{
$_SESSION['msg2'] = "email is a required field";
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/login"> <?exit();
}//-------------------------check email was submited------END--------------------------------------------
if ($_POST['name'])//-------------------------check name was submited--------------------------------------------------
{
$name = $_POST['name'];
}
else
{
$_SESSION['msg2'] = "name is a required field";
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/login"> <?exit();
}//-------------------------check name was submited----------END----------------------------------------
//----------------------------------------uthenticating submited fields-------END--------------------
//connecting to mysql server
$DBConnect = mysqli_connect("localhost", "mrhowtos_user", "9Xhe9e949Xhe9e94!");
mysqli_set_charset($DBConnect, "utf8");
mb_internal_encoding("UTF-8");
//error handling
if (!$DBConnect)
echo "<p>the database server is not available</P>";
else
{//------------------------------------------checking for existing user confilcts---------------------------
if (mysqli_select_db($DBConnect, "mrhowtos_main"))
{
$checkqwry1 = "select name from users where name = '$name';";
$checkqwry2 = "select email from users where email = '$email';";
$array = mysqli_query($DBConnect, $checkqwry1);
$Row = mysqli_fetch_row($array);
if ($Row)
{
$_SESSION['msg2'] = $Row[0]." is already in use by another user";
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/login"> <?exit();
}
$array = mysqli_query($DBConnect, $checkqwry2);
$Row = mysqli_fetch_row($array);
if ($Row)
{
$_SESSION['msg2'] = "the email ".$Row[0]." is already in use by another user";
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/login"> <?exit();
}
else//------------------------------------------checking for existing user confilcts----END-----------------------
{
//-------------------------------aproved account credentials, insert in db and login-----------------------------------
$_SESSION['username'] = $name;
$_SESSION['rights'] = 1;
$_SESSION['msg2'] = "hi ".$name." you have successfully registered! and logged in!<br />Note that the \"Make Translations\" Option has now appeared in the Naviation so you can start adding translations!";
$ip = getRealIpAddr();
//--------------------------------------------insert user into db--------------------------------------------------------
$QueryResult = mysqli_query($DBConnect, "INSERT INTO `mrhowtos_main`.`users` (`ID` ,`name` ,`password` ,`email` ,`rights`, `IP address`)VALUES (NULL , '$name', '$password', '$email', '1', '$ip');")
Or die("<p>Unable to execute the query.<p>"
. "<p>Error code " . mysqli_errno($DBConnect)
. ": " . mysqli_error($DBConnect)) . "</p";
//--------------------------------------------insert user into db---END-----------------------------------------------------
if ($_SESSION['lastpage'])
{
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/page<?echo $_SESSION['lastpage'];?>"> <?exit(); //auto return to last page
}
else
{
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/login"> <?exit(); //auto return to login page
}
} //-------------------------------aproved account credentials, insert in db and login---END-------------------------------
}
else
{
echo "database selected was not found";
}
}
}
?><meta http-equiv="Refresh" content="0; url=http://www.mrhowtosay.com/insert">
<a href="insert">insert</a>
</body>
</html>
请稍候。。。
因此,请记录bots发送的数据并自己尝试。请您再解释一下,我不理解您的建议。记录所有$\u POST
,$\u会话
和$\u服务器
。然后检查机器人发送给您的参数。可以购买解决验证码!每1000个验证码需要花费1美元,所以如果你检测到一台机器生成了30个帐户,有人会投资3美分来烦你。相当便宜。谁在解决这些问题?第三世界的低收入工人。所以实际上有人类参与其中。这就是为什么CAPTCHA不再有效的原因。找出IP地址的基础,并决定是否愿意阻止来自该国家的用户。例如,如果您非常确定没有印度用户会对您的服务感兴趣,但您收到了来自印度的大量请求,请阻止来自印度的IP地址。这有点像一把大锤,但它会起作用的。