Javascript Captcha_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-04-07 19:51 出处：网络

I found this great little code online but it doesn\'t seem to be comparing the two strings after removing the spaces correctly? I know some js but whatever wrong here is beyond my understanding. Hopef

I found this great little code online but it doesn't seem to be comparing the two strings after removing the spaces correctly? I know some js but whatever wrong here is beyond my understanding. Hopefully someone will know the answer to this.

Note: it seems to also validate based on the number of chs and not what those chs are, the numbers dont seem to need to match up, just so long as there's enough of them.

Org code was done by "mama21mama" from "http://osticket.com/forums/showthread.php?t=6489&highlight=captcha"

I have made some small personal modifications to try to fix it, below is my vr.

<script type="text/javascript">
    function DrawCaptcha() {
        var a = Math.ceil(Math.random() * 9)+ '';
        var b = Math.ceil(Math.random(开发者_开发技巧) * 9)+ '';       
        var c = Math.ceil(Math.random() * 9)+ '';  
        var d = Math.ceil(Math.random() * 9)+ '';  
        var e = Math.ceil(Math.random() * 9)+ '';  
        var f = Math.ceil(Math.random() * 9)+ '';  
        var g = '10';  
        var code = a + ' ' + b + ' ' + ' ' + c + ' ' + d + ' ' + e + ' '+ f + ' ' + g;
        document.getElementById("txtCaptcha").value = code
    }
    function ValidCaptcha() { // valida los numeros ingresados
        var str1 = removeSpaces(document.getElementById('txtCaptcha').value);
        var str2 = removeSpaces(document.getElementById('txtInput').value);
        if (str1 == str2){
            return true; } 
        else {
            return false; } 
    }
    function removeSpaces(string) { 
        return string.split(' ').join('');
    } 
    </script>

Do not use this code. It does nothing to increase security.

In order for a captcha to be effective, the answer to the captcha must be a secret known only by the server. A client-side script cannot implement a captcha because the client code would necessarily know the answer.

This script does nothing to secure your sever against a malicious attack. All the JavaScript in the world doesn't prevent an attacker from writing a script that POSTs a fake form to your server. Since the captcha validation happens on the client, your sever is clueless as to whether the request is legitimately generated by a human.

This captcha also misses the point by rendering the challenge as plain text. Any script could read the challenge from the DOM and provide the correct answer.

This script is useless if a browser has JavaScript disabled. This script is useless if I type ValidCaptcha = function() { return true; } in the console.

Instead of trying to roll your own, use reCAPTCHA. It is free, has an easy API, and has built-in accomodations for blind users.