Captcha icon indicating copy to clipboard operation
Captcha copied to clipboard

Published 20 hours ago verified publisher icon Gregwar

Sometimes, the results of getPhrase and inline are partly inconsistent

Open ZhangChengLin opened this issue 4 years ago • 7 comments

Why sometimes the characters of getPhrase () and the characters in inline () are inconsistent, not all are wrong, but the case of one of the letters is inconsistent.

E.g: The image base64 from inline () is processed in the browser, and the result displayed is YF7B But the result of getPhrase () is Yf7B

why? Is it a browser issue or a code design issue?

ZhangChengLin avatar Apr 26 '20 13:04 ZhangChengLin

Maybe it is because of one of the fonts used here Actually, I recommend you don't check the user phrase using case sensitive method The same tolerance can apply for 0/O and 1/l

See: https://github.com/Gregwar/Captcha/blob/master/src/Gregwar/Captcha/PhraseBuilder.php#L71

Gregwar avatar Apr 26 '20 15:04 Gregwar

Maybe it is because of one of the fonts used here Actually, I recommend you don't check the user phrase using case sensitive method The same tolerance can apply for 0/O and 1/l

I want to use session for cookies on the client, and then compare the hash value of the verification code. Rest assured, the server will still compare again, except that when the normal client judges, there is one less connection request. So I have to know in advance what exactly it is, and there is a case where the case is not absolutely consistent.

ZhangChengLin avatar Apr 26 '20 15:04 ZhangChengLin

In that case just call doNiceize() before you hash in both generating and checking process and it will result in the same hash

However check the possible combinations, if you have 5 characters 36^5 is around 60M, it is not really hard to brute force this hash

Gregwar avatar Apr 26 '20 22:04 Gregwar

In that case just call doNiceize() before you hash in both generating and checking process and it will result in the same hash

However check the possible combinations, if you have 5 characters 36^5 is around 60M, it is not really hard to brute force this hash

In this way, can the correct capitalization of letters be displayed in the picture?

The client enters five letters, the same md5 processing is performed on the client, and then the string value is compared. As for the number of characters you say, if you say too little, then execute 1000 times? Is it okay?

ZhangChengLin avatar Apr 27 '20 00:04 ZhangChengLin

Actually, injecting a secret salt before hashing is also a solution

<?php
$salt = 'SomethingSecret';
$hash = sha1($salt.$phrase);

Gregwar avatar Apr 27 '20 07:04 Gregwar

Actually, injecting a secret salt before hashing is also a solution

<?php
$salt = 'SomethingSecret';
$hash = sha1($salt.$phrase);

Off the topic, how to ensure that the case of the characters in the picture is consistent with the phrase.

ZhangChengLin avatar Apr 28 '20 00:04 ZhangChengLin

{7F7992EA-F488-4974-AFA5-0BE7746214CB}_20200426212628

{9FE8CA86-94ED-4422-8621-B2B9832E8877}_20200426212843

{F99303BF-2208-467A-99C3-DC6FF0573B19}_20200428081841

{F9AF0748-C3D8-4C0F-B882-6BF5C5EC753D}_20200428081900

ZhangChengLin avatar Apr 28 '20 00:04 ZhangChengLin