#28 Anti-spam image in guestbook

[Roland Haeder]

------ IMPORTANT NOTE: ------
As bzrudi wrote: Checkout CVS tree first!
------ IMPORTANT NOTE: ------

This patch will add a (currently with fixed length)
security image to your guestbook. This shall make it
more harder for spam-bots to flood your guestbook with
their messages.

The following files are CHANGED:

- linpha/lang/lang.German.php - $gb_code added
- linpha/lang/lang.English.php - $gb_code added
- linpha/include/session.php - Inclusion added for new
script
- linpha/plugins/guestbook/guestbook_view.php - Support
for image code generation added

The following files are NEW:
- linpha/include/defines.php - Contains three define()
statements: The site key which you have to customize,
the date key (change it also if you like to your
matching date format! :-) ) and a switch. (later more)
- linpha/plugins/guestbook/functions.php - Contains
some functions (3 exactly) for image code generation
-
linpha/plugins/guestbook/images/backgrounds/code_bg.jpg
- A nice background image taken from the PHP-Nuke
software (see http://www.php-nuke.com for details)
-
linpha/plugins/guestbook/images/backgrounds/code_bg.png
- Generated from the previous JPEG file by me with The GIMP
- linpha/plugins/guestbook/img.php - Outputs the image
which contains the code

Notes to the constant 'IMG_TYPE':

If your server's GD library has JPEG support you might
also want to change over. Just in case you don't like
PNG images... ;)

Have lot's fun with your new improved guest book! :-)

Roland aka. Quix0r

[Roland Haeder]

Logged In: YES
user_id=16215

Damn mind of me... ;) Wrong link. Here's the right one:

http://www.phpnuke.org/

But: Better stay away from this. As a work-mate said:
PHP-Nuke *is* a security-hole... *smile*

[Roland Haeder]

Logged In: YES
user_id=16215

I have improved the patch a little. I found a *possible*
security flaw in your script. You use PHP_SELF in many
places but unsecured. I found a way to secure it by not
replacing it with SCRIPT_NAME (this will affect too much
files). So please have a look at the script
include/security.php (oh, really? ;) ).

Additionally I rewrote my pseudonym Quix0r to my real name. :-)

Cheers,
Roland

[Roland Haeder]

Logged In: YES
user_id=16215

The code in image and URL was the same. My fault, no GNU GPL
covered... :) *oops*

[Roland Haeder]

Logged In: YES
user_id=16215

Oops. Now guess this:

My encoding routine uses $_SERVER['PHP_SELF'] (secured). And
/path/img.php is different from /path/guestbook_view.php
right? So I also got another code in processing the post
request. :-( :-( :-(

Roland

[Roland Haeder]

Finally fixed patch... LOL

[bzrudi]

Logged In: YES
user_id=184593

Hi Roland,

thanks for your patch! We are going to release the next
version (1.1.0) next week (hopefully). So I will have a
closer look as soon as the release is out!

Thank You!

cheers bzrudi

[Anonymous]

Logged In: YES
user_id=975693

hi roland

i know, its a bite late to answer... but i hope you will
receive this message

i just had a closer look to your patch, its really nice and
i want to apply it!
but i think there should be done some changes before:
- no defines.php, add config entries in linpha_config table
- add possibility to activate/deactivate this feature in the
guestbook plugin settings, it should be deactivated by default

after these changes are made, i will apply it also in linpha2

thanks
flo

[wwp]

Logged In: YES
user_id=329414
Originator: NO

Hi,

what's the status of this patch? against what does it apply (CVS of 1.x?). I'm asking this 'cause against 1.2.0, it doesn't work as expected (a broken link is shown in place of the image, for instance).

[Roland Haeder]

Logged In: YES
user_id=16215
Originator: YES

I'm using 1.2.0 as well. Could you please open plugins/guestbook/functions.php an comment out line 131. This shall finally looks like:

// header("Content-Type: image/".IMG_TYPE)

After this please open...
http://your-domain/plugins/guestbook/img.php?code=1234.

in your browser and post the output here. :) So I can debug it.

[wwp]

Logged In: YES
user_id=329414
Originator: NO

It shows a blank page.

here's the guestbook:
https://www.$FOO.org/linpha/plugins/guestbook/guestbook_view.php?mode=insert

and the link you asked me to go to:
https://www.$FOO.org/linpha/plugins/guestbook/img.php?code=1234

(where $FOO is "mollux", sorry for being paranoid against robots)

[wwp]

Logged In: YES
user_id=329414
Originator: NO

Oh, BTW, the original post of this patch talks about linpha/lang/lang.English, but I couldn't find those lang files in the attached patch. Okay that just explains why I see no text where $gb_code, but I wonder if the patch link is right, now (from bottom of page: https://sourceforge.net/tracker/download.php?group_id=64772&atid=508616&file_id=167719&aid=1432469\).

[Roland Haeder]

Logged In: YES
user_id=16215
Originator: YES

Hmmm, I can only speculate here because I got an empty webpage:

gdlib (or libgd sometimes called) installed?

Yes, the language file is not included. You need to add the mentioned string $gb_code to your language files like this:

// English:
$gb_code="Enter code again";

// German
$gb_img="Code wiederholen";

Roland

[wwp]

Logged In: YES
user_id=329414
Originator: NO

Yes GD is installed (I use it for many things on this HTTP server):
$ gdlib-config --version
2.0.33

It's installed in /usr/local/lib.