I have a form, something like:
<form action="" method="post">
<label class="reg_label" for="name">Name:</label>
<input name="name" type="text" class="text_area" id="name"/>
.... etc...
</form>
To submit the form, the user must also first complete a CAPTCHA. This works great, and only allows form submission for perfect matches. Reloading the page will result in a new CAPTCHA. Pressing the "back" button will also display a new CAPTCHA.
When the user submits the form, it is verified via javascript, and that all works dandy, and then it is submitted (and emailed) via a separate php script:
<?php
include('connect_to_mysql.php');
$webMaster = 'my@email.com';
$name = mysqli_real_escape_string($db_conx, $_POST["name"]);
$phone = mysqli_real_escape_string($db_conx, $_POST["phone"]);
$email = mysqli_real_escape_string($db_conx, $_POST["email"]);
$message = mysqli_real_escape_string($db_conx, $_POST["message"]);
$emailSubject = 'Contact Form Submission';
$body = <<<EOD
Name: $name
Email: $email
Phone: $phone
Message:
$message
EOD;
$headers = "From: $email
";
$success = mail($webMaster, $emailSubject, $body, $headers);
header('Location: ../thankyou.html');
?>
This all works as expected, and I am satisfied with the escape strings for now. The form catches non-emails, and the CAPTCHA works every time. But some clown just sent me 128 SIMULTANEOUS form submissions, and I am wondering how this individual did it.
Every field was filled out "9999.9". When I try it, I get errors for the name, phone number and email. I can't even submit the form with that data. Even if I could, I would only be able to send it once because of the CAPTCHA (PHP).
The only hole I can see, and it IS a hole (just tried it), is to type in the URL of the external script directly. So, a bad guy could write his own script, assign the variables (to POST) and then call my contact function 128 times.
While I'm working on righting that wrong, are there any other obvious gaping holes that someone could use for multiple form submissions like that, while bypassing the CAPTCHA (which is PHP)? Obviously just turn off JS to get around the validation.
I can post more code if needed, but just assume the JS is turned off, leaving only the PHP CAPTCHA check - which has nothing to do with the actual submission of the form, and changes on BOTH "back" and "reload" operations.
Thanks in advance.
CAPTCHA CODE
Captcha.php
<?php
session_start();
$rand = md5(rand(0,999));
$value = substr($rand, 10, 5);
$_SESSION['cap_key'] = $value;
... do some drawing stuff to make the CAPCHA, which is an IMAGE and cannot be read without some fancy character-recogntion code...
?>
Within the contact form file (called when form submitted)
<?php
session_start();
if ($_POST['submit'])
{
if ($_POST['captcha'] == $_SESSION['cap_key']) // Success
{
include('scripts/contact.php');
}else if($cap != 'Eq') // If wrong captcha entered
{
... reload page after sanitizing the inputs...
}
}
?>
But like I said, the CAPTCHA changes every reload of the page.
Thanks again.