Captcha PHP

failure to display
So I've been trying to add this captcha to some code I'm

using and I'm unable to get it to display the image in my

form. I get the alt text and I can click to go to the image

directly and it displays ok but I never get anything in the

form page. I've read the README for clues but so far

nothing. I've added error_log() debugging code to the code

and when the request comes in for the image the only code

that is exercised is the the test for the invoking of the script

directly.

So out of ideas I put in the following hack as an else after

the test in the aforementioned if.

} else {

if (isset($_SERVER['QUERY_STRING']) && strpos

($_SERVER['QUERY_STRING'], "__ec_i=ec.") === 0 ){

$c = new easy_captcha();

$expired = !$c->is_valid();

if ($expired) {

$type = "image/png";

$bin = easy_captcha_utility::expired_png();

} else {

$type = "image/jpeg";

$bin = $c->image->jpeg();

}

header("Pragma: no-cache");

header("Cache-Control: no-cache, no-store, must-

revalidate, private");

header("Expires: " . gmdate("r", time()));

header("Content-Length: " . strlen($bin));

header("Content-Type: $type");

print $bin;

}

}

and not surprisingly the image shows up in my form. So I

don't understand how on the requests for the image from my

form anything is supposed to happen since prior to this

change as far as I can tell nothing but the API() code put out

a header and the image. Second I don't see how any code

would ever be activated by the REQUEST that asks for the

image since the only "main line" code is that code that tests

for the direct invoke. I'm clearly missing something here

that must be obvious to the author. Any help would be

appreciated. TIA.

BTW I see the following error when I use "whirly" mode.

PHP Notice: Undefined variable: y in .../captcha.php on line

800

which is this line:

if (($x > $this->height) && ($y > $this->height)) {

and $y is undefined at this point.

Re: Eliminates waves border
Thank you very much for sharing this fix! The next release will include it ;)

[Totally forgot about this, because I've tested with the black/inverse version only.]

Eliminates waves border
I have modified the function distort() changing this inside the "for":

#-- get source pixel, paint dest

if ($single_pixel) {

// single source dot: one-to-one duplicate (unsmooth, hard edges)

if ( ((int)$dx+$x > 0) && ((int)$dy+$y > 0) && ((int)$dx+$x < $width) && ((int)$dy+$y < $height) ) {

imagesetpixel($dest, $x, $y, @imagecolorat($i, (int)$dx+$x, (int)$dy+$y));

} else {

imagesetpixel($dest, $x, $y, $this->inverse ? $this->bg ^ 0xFFFFFF : $this->bg);

};

}

//-------------------------------------

This eliminates borders when I use the Wave function.

Thanks for that excelent and free script.

Re: yes, this class is not secure.
I very much doubt that linkspamming under fake names and abusive conjectures get you any customers.

Re: Security hole

There has never been such a "security hole", because the _tcf= parameter (in version 0.9 only) has been filtered by:

if (preg_match('/^\w+$/', $id) && file_exists(...

Which also works more reliable than basename(), since it doesn't let special characters or even dots through.

------------

Even though this was a false alarm here, it's a very good practice to do at least such a surface security check in new scripts. So, no offence, and many thanks for voicing concerns and providing feedback here!