[contribution] Visual Verify Code (VVC) security

[Guest]

I just wanted to let everyone know about a contribution I uploaded last night called Visual Verify Code (VVC) [it is located in the features section].

 

Have you ever been on a site that displays an image with text on it and you are required to input what you see? This is what my contribution does. It helps thwart automated programs from creating bogus accounts, using your Tell-A-Friend as a spam system, and the like. You can view this contribution running by visiting my site: OnlyVotives.com and clicking ?contact us?.

 

-Bill of LTCMLLC

[jwsfun]

William,

 

I am completely stuck on step 4, for a couple of reasons:

 

1. None of the code you instruct to look for is in my create_acount.php: Is this actually create_account_process.php that I should be looking at instead? If so...

 

2. In create_account_process.php, there is NO occurance of "if ($error == false) anywhere in this file. The closest thing to it is:

 

$error = false; // reset error flag (<---line 40, nowhere near line 170)

 

OR, several occurances of "entry_XXXXX_error==false" (and ==true as well)

 

I'm new to php and would really like to make this valuable contribution work, so I'd appreciate some input or a solution if you can help.

Thank you :).

[beardeddone]

William,

 

I am completely stuck on step 4, for a couple of reasons:

 

1. None of the code you instruct to look for is in my create_acount.php: Is this actually create_account_process.php that I should be looking at instead? If so...

 

2. In create_account_process.php, there is NO occurance of "if ($error == false) anywhere in this file. The closest thing to it is:

 

? $error = false; // reset error flag (<---line 40, nowhere near line 170)

 

?  OR, several occurances of "entry_XXXXX_error==false" (and ==true as well)

 

I'm new to php and would really like to make this valuable contribution work, so I'd appreciate some input or a solution if you can help.

Thank you :).

Hum, what version are you using, it's in mine, maybe it was replaced by another contribution.

 

 ?if ($error == false) {
? ? ?$sql_data_array = array('customers_firstname' => $firstname,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ?'customers_lastname' => $lastname,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ?'customers_email_address' => $email_address,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ?'customers_telephone' => $telephone,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ?'customers_fax' => $fax,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ?'customers_newsletter' => $newsletter,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ?'customers_password' => tep_encrypt_password($password));

? ? ?if (ACCOUNT_GENDER == 'true') $sql_data_array['customers_gender'] = $gender;
? ? ?if (ACCOUNT_DOB == 'true') $sql_data_array['customers_dob'] = tep_date_raw($dob);

 

4. Update the /catalog/create_account.php file in two places

a. Adding the code that checks the user input with the code stored in the database

i. Locate the first occurance of "if ($error == false)" (line 170 in the default installation of osCommerce2.2m2).

Edited November 18, 2003 by beardeddone

[jwsfun]

John,

 

Again, there is NOTHING like this in my create_account.php: However, in my create_account_process.php, around line 243, I have something similar to what you just posted:

 

<?php

} else {

$sql_data_array = array('customers_firstname' => $firstname,

'customers_lastname' => $lastname,

'customers_email_address' => $email_address,

'customers_telephone' => $telephone,

'customers_fax' => $fax,

'customers_newsletter' => $newsletter,

'customers_password' => crypt_password($password),

'customers_default_address_id' => 1);

 

I am using 2.2-CVS version of OSC...But I think this contribution should work, don't you?

Do you use it? Maybe I should try pasting the first part of step 4 here...?

[Vince76]

I can't get this contrib to work and I followed the readme to the letter 3 times..

 

I just keep getting the error can't find TABLE_VISUAL_VERIFY_CODE, but it's in the database I can see it..

 

Anyone know of another contrib that can do something similar?

 

Cheer...

[moepstar]

i hope somebody is still watching this thread and is able to help ;)

 

 

i've installed this great contribution (really, thumbs up william!) now on 2 shops.

 

however, i'm at the second one right now and tested the security-code there on the contact_us.php page.

and, guess what - it lets you enter whatever you want into it and sends the request anyways.

 

on the other hand it works just fine when signing up or telling a friend.

 

i really wonder why it does that and if anyone has a fix for it.

 

surely enough i checked if i've applied all changes correctly to contact_us.php and noticed (also already when editing it at first) that the installation-instructions dont exactly represent the code (yes, also in a clean osc ms2 install).

 

contact_us.php, first edit, according to the mods install instructions should be:

 

5. Update the /catalog/contact_us.php in two places:
a. Locate the text near line 30 that ends with a bracket and is:

if (tep_validate_email($email_address) == false) {
  $error = true;
  $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
}

 

original code stock osc ms2:

 

  $error = false;
 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
$name = tep_db_prepare_input($HTTP_POST_VARS['name']);
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

if (tep_validate_email($email_address)) {
  tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);

  tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));
} else {
  $error = true;

  $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
}
 }

 

so, this is how i applied the mod to my shop:

 

  $error = false;
 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
$name = tep_db_prepare_input($HTTP_POST_VARS['name']);
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

if (tep_validate_email($email_address)) {
  tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);

  tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));
} else {
  $error = true;

  $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
}

//VISUAL VERIFY CODE start
 require(DIR_WS_FUNCTIONS . 'visual_verify_code.php');

$code_query = tep_db_query("select code from visual_verify_code where oscsid = '" . $HTTP_GET_VARS['osCsid'] . "'");
$code_array = tep_db_fetch_array($code_query);
$code = $code_array['code'];

tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'"); //remove the visual verify code associated with this session to clean database and ensure new results

$user_entered_code = $HTTP_POST_VARS['visual_verify_code'];
if (!(strcasecmp($user_entered_code, $code) == 0)) {	//make the check case insensitive
	$error = true;
	$messageStack->add('contact', VISUAL_VERIFY_CODE_ENTRY_ERROR);
}
//VISUAL VERIFY CODE stop

 }

 

(sorry for pasting that much code)

 

so, being this way doesnt display any errors - gooood... but doesnt really validate the input either :(

 

hopefully someone of you guys has an idea =)

[Scotty1]

I have installed this contribution but the expected image just appears as a red X. I am using 2.2 with Image Magic and the Ultimate SEO contributions on my site. Pretty sure it hasn't anything to do with Image Magic as it makes no difference if the contribution is on or off, the result is the same. Has anyone got any ideas?

[Guest]

I have installed this contribution but the expected image just appears as a red X. I am using 2.2 with Image Magic and the Ultimate SEO contributions on my site. Pretty sure it hasn't anything to do with Image Magic as it makes no difference if the contribution is on or off, the result is the same. Has anyone got any ideas?

did you install it properly? Goto your contact_us.php page on your site for instance and examine the HTML generated code. What shows for the image tag?

here is the php to check the equivalent HTML generated:

					 echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '"');

[matrix2223]

Hello all,

 

I have installed this contrib on all 3 pages and the input text box shows, but not the VVC image. I checked the html gen. tag like enigma suggested and also used the contact_us that came with the contrib. Still nothing.

 

Any ideas to what I can do?

 

Thanks,

 

Eric

[matrix2223]

LOL boy I feel like an idiot now.

 

I forgot to define the file name in filenames.php

 

Sorry,

 

I also send a email through the contact us and didnt enter a VVC and it still went through any ideas

 

Thanks,

Eric

Edited August 12, 2006 by matrix2223

[Guest]

LOL boy I feel like an idiot now.

 

I forgot to define the file name in filenames.php

 

Sorry,

 

I also send a email through the contact us and didnt enter a VVC and it still went through any ideas

 

Thanks,

Eric

 

Did you ever find a solution to this? I have installed it and the contact us page is the only page it let's anything slip through. Any ideas?

 

Thanks,

Steve Lewis

[matrix2223]

Nope I ended up using to different kinds of VVC to get what I wanted

[Guest]

Hi I hope someone can help me.

 

I have installed the VVC code on my OSC 2.2 site, the code request box and image comes up but it still sends every email, even when I enter a false code...

 

Any ideas?

 

Here is the code on my contact_us page (the only one I have installed it on)

 

<?php
/*
 $Id: contact_us.php,v 1.42 2003/06/12 12:17:07 hpdl Exp $

 osCommerce, Open Source E-Commerce Solutions
 [url="http://www.oscommerce.com"]http://www.oscommerce.com[/url]

 Copyright © 2003 osCommerce

 Released under the GNU General Public License
*/

 require('includes/application_top.php');

 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US);

 $error = false;
 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
   $name = tep_db_prepare_input($HTTP_POST_VARS['name']);
   $email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
   $enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

   if (tep_validate_email($email_address)) {
     tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);

     tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));
   } else {
     $error = true;

     $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
   }
//VISUAL VERIFY CODE start
 require(DIR_WS_FUNCTIONS . 'visual_verify_code.php');

   $code_query = tep_db_query("select code from visual_verify_code where oscsid = '" . $HTTP_GET_VARS['osCsid'] . "'");
   $code_array = tep_db_fetch_array($code_query);
   $code = $code_array['code'];

   tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'"); //remove the visual verify code associated with this session to clean database and ensure new results

   $user_entered_code = $HTTP_POST_VARS['visual_verify_code'];
   if (!(strcasecmp($user_entered_code, $code) == 0)) {    //make the check case insensitive
       $error = true;
       $messageStack->add('contact', VISUAL_VERIFY_CODE_ENTRY_ERROR);
   }
//VISUAL VERIFY CODE stop	

 }

 $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_CONTACT_US));
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->

<!-- body was cellspacing="3" cellpadding="3"//-->
<table border="0" width="100%" cellspacing="0" cellpadding="0">
 <tr>
   <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="0">
<!-- left_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>
<!-- left_navigation_eof //-->
   </table></td>
<!-- body_text //-->
   <td width="100%" valign="top"><?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send')); ?><table border="0" width="99.75%" align="right" cellspacing="0" cellpadding="0">
     <tr>
       <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
         <tr>
           <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
           <td class="pageHeading" align="right"><?php //echo tep_image(DIR_WS_IMAGES . 'table_background_contact_us.gif', HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td class="main"><?php echo PRE_AMBLE; ?></td>
     </tr>
  <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 if ($messageStack->size('contact') > 0) {
?>
     <tr>
       <td><?php echo $messageStack->output('contact'); ?></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 }

 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'success')) {
?>
     <tr>
       <td class="main" align="left"><?php echo TEXT_SUCCESS; ?></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td align="right"><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
<?php
 } else {
?>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td class="main"><?php echo ENTRY_NAME; ?></td>
             </tr>
             <tr>
               <td class="main"><?php echo tep_draw_input_field('name'); ?></td>
             </tr>
             <tr>
               <td class="main"><?php echo ENTRY_EMAIL; ?></td>
             </tr>
             <tr>
               <td class="main"><?php echo tep_draw_input_field('email'); ?></td>
             </tr>
<!-- VISUAL VERIFY CODE-- START-->
     <tr>
       <td class="main"><?php echo VISUAL_VERIFY_CODE_CATEGORY; ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" cellspacing="2" cellpadding="2">

             <tr>
               <td class="main"><?php echo VISUAL_VERIFY_CODE_TEXT_INSTRUCTIONS; ?></td>
               <td class="main"><?php echo tep_draw_input_field('visual_verify_code'); ?></td>

               <td class="main">
                 <?php
                     //can replace the following loop with $visual_verify_code = substr(str_shuffle (VISUAL_VERIFY_CODE_CHARACTER_POOL), 0, rand(3,6)); if you have PHP 4.3
                   $visual_verify_code = "";
                   for ($i = 1; $i <= rand(3,6); $i++){
                         $visual_verify_code = $visual_verify_code . substr(VISUAL_VERIFY_CODE_CHARACTER_POOL, rand(0, strlen(VISUAL_VERIFY_CODE_CHARACTER_POOL)-1), 1);
                    }
                    $vvcode_oscsid = $HTTP_GET_VARS['osCsid'];
                    tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'");
                    $sql_data_array = array('oscsid' => $vvcode_oscsid, 'code' => $visual_verify_code);
                    tep_db_perform(TABLE_VISUAL_VERIFY_CODE, $sql_data_array);
                    $visual_verify_code = "";
                    echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '"');
                 ?>
               </td>
               <td class="main"><?php echo VISUAL_VERIFY_CODE_BOX_IDENTIFIER; ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
<!-- VISUAL VERIFY CODE-- STOP -->
             <tr>
               <td class="main"><?php echo ENTRY_ENQUIRY; ?></td>
             </tr>
             <tr>
               <td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td align="right"><?php echo tep_image_submit('button_continue.gif', IMAGE_BUTTON_CONTINUE); ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
<?php
 }
?>
   </table></form></td>
<!-- body_text_eof //-->
   <!-- <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2"> //-->
<!-- right_navigation //-->
<?php //require(DIR_WS_INCLUDES . 'column_right.php'); ?>
<!-- right_navigation_eof //-->
   </table></td>
 </tr>
</table>
<!-- body_eof //-->

<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

Thanks in advamce for any help...

[rubygirl]

anyone have any idea how to incorporate this code into the newsletter contribution?

 

Got everything to display - but can't figure out where to enter this coe:

 

require(DIR_WS_FUNCTIONS . 'visual_verify_code.php');

 

$code_query = tep_db_query("select code from visual_verify_code where oscsid = '" . $HTTP_GET_VARS['osCsid'] . "'");

$code_array = tep_db_fetch_array($code_query);

$code = $code_array['code'];

 

tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'"); //remove the visual verify code associated with this session to clean database and ensure new results

 

$user_entered_code = $HTTP_POST_VARS['visual_verify_code'];

if (!(strcasecmp($user_entered_code, $code) == 0)) { //make the check case insensitive

$error = true;

$messageStack->add('newsletters', VISUAL_VERIFY_CODE_ENTRY_ERROR);

}

 

i have looked at newsletter.php and newsletter_subscribe.php

 

 

any thoughts?

[garnalamal]

Hi:

 

first sorry, I´m spanish and no speek englis very well.

 

The VVC it´s work very well, I ask if would change the imagen for de code, why the image no is very clear.

 

what code, or file woul change¿

 

Thanks for your support.

Edited September 16, 2007 by garnalamal

[Roaddoctor]

I run on PHP 4.3.2, MySQL 3.23.58 OSC 2.2RC1

 

What is wrong with this SQL?

 

I get this error when I try to execute:

 

ERROR 1064 at line 15: You have an error in your SQL syntax near 'NOW(),

PRIMARY KEY (oscsid)

)' at line 4

 

 

 

DROP TABLE IF EXISTS visual_verify_code;
CREATE TABLE visual_verify_code (
 oscsid varchar(32) NOT NULL,
 code varchar(6) NOT NULL,
 dt TIMESTAMP(12) NOT NULL DEFAULT NOW(),
 PRIMARY KEY (oscsid)
);

 

Thanks for the help

[newtech]

I can get this to work with contact and create account with no problem.

 

However with tell_a_friend it will not accept the letters I enter. I have tried several times. Keeps coming up with wrong security code entered. Any ideas?

[Craft_Shop_Girl]

Hello,

 

I do not get the image just the red x. Any suggestions?

[Guest]

I run on PHP 4.3.2, MySQL 3.23.58 OSC 2.2RC1

 

What is wrong with this SQL?

 

I get this error when I try to execute:

 

ERROR 1064 at line 15: You have an error in your SQL syntax near 'NOW(),

PRIMARY KEY (oscsid)

)' at line 4

DROP TABLE IF EXISTS visual_verify_code;
CREATE TABLE visual_verify_code (
 oscsid varchar(32) NOT NULL,
 code varchar(6) NOT NULL,
 dt TIMESTAMP(12) NOT NULL DEFAULT NOW(),
 PRIMARY KEY (oscsid)
);

 

Thanks for the help

It worked for me. The install instructions omit the edit for the includes/database_tables.php

 

Add before the final ?>

//VVC CODE

define('TABLE_VISUAL_VERIFY_CODE', 'visual_verify_code');

[Guest]

I get the same problem. The images do not load and the GD Library is enabled. I used this contribution some time ago and did not have this problem.

 

Any help would be great.

Jamie

[Guest]

I get the same problem. The images do not load and the GD Library is enabled. I used this contribution some time ago and did not have this problem.

 

Any help would be great.

Jamie

Well, I got the images to show, but it does not work. Put anything in for the code on the contact us page and it still sends.

Edited November 20, 2007 by Coopco

[Guest]

It worked for me. The install instructions omit the edit for the includes/database_tables.php

 

Add before the final ?>

//VVC CODE

define('TABLE_VISUAL_VERIFY_CODE', 'visual_verify_code');

Correction, it is there, just hard to see.

[Guest]

Hello,

 

I do not get the image just the red x. Any suggestions?

Do you have the GD Library installed in php.

[Guest]

Well, I got the images to show, but it does not work. Put anything in for the code on the contact us page and it still sends.

Little update. The create account page also accepts anything and the email is sent.

 

This entirely defeats the purpose of this contribution.

[Guest]

I am having the same issue that moepstar and others are experiencing. The contrib works fine on the Create Account and Tell A Friend pages, but not in the Contact Us page. You can leave the field blank or enter anything and it will still go through. Has anyone found a solution for this, or is there another VVC contrib that might work better?

 

Thanks in advance.

 

J.B.