Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Captcha - ReCaptcha for ecards - easy spambot protection mod., visual confirm  (Read 11861 times)

0 Members and 1 Guest are viewing this topic.

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1503
  • aka 'i-imagine'
    • Home Page

SEE REPLY #3 BELOW FOR THE LATEST REVISIONS
For Plugin version click here


This one is easy, instructions are below and attached in the .zip file.

The mod will add a captcha (Recaptcha) visual confirmation to the ecard function.
It preserves the preview function and is now running on my two cpg galleries.

      http://i-imagine.net/artists/index.php  (a public user's gallery)
      http://gallery.josephcarver.com/natural/index.php (my photo gallery)

(ver. 1.4.2 with cpmfetch,  sef urls, remove_modify)

The mod. should prevent bots from using ecards Users have to match two obscured words.
_______________________

   FUNCTION: TO ADD CAPTCHA - RECAPTCHA PROTECTION TO ECARDS - STOP SPAMMERS -
   INSTRUCTION:
     1) Get keys and files from recaptcha.net
       - public and private keys for your site(s)/domains - it's free
       - recaptchalib.php
     2) Modify the included file  ecard.php  
       - around line 208 put your private recaptcha key between the quotes
       - around lines 351 and 355 put your public recaptcha key between the <   >'s
     3) Upload files    captcha_errmssg.php and recaptchalib.php  to your cpg root
     4) Upload the new modified ecard.php after backing up original
     5) Your ecards are now captcha protected from spambots
_____

All of the cpg files needed are in the .zip. You will need to get your own keys and make sure they work
with your domain. Practice is easy. I can say that because I really don't know code.

Read the readme.

This is a small way to say thanks to the developers and the board.
I have had no need to ask for support so far. Searching has been good
for me. (and yes, I despise spammers too)

i-imagine

For Comments captcha see this post: http://forum.coppermine-gallery.net/index.php/topic,58757.0.html


« Last Edit: September 06, 2009, 05:59:12 pm by i-imagine »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

Thanks for your readiness to share. However, I have some remarks:
(ver. 1.4.2 with cpmfetch,  sef urls, remove_modify)
Running such an ancient version is not an option, as it would mean that you've missed 19 maintenance releases - most recent version currently is cpg1.4.21. All versions prior cpg1.4.21 contain serious security flaws and must be upgraded instantly. Side-note: in case that you meant "cpg1.4.20" (that's what you use on http://gallery.josephcarver.com/natural/index.php): cpg1.4.20 is the version that came after cpg1.4.19 and before cpg1.4.21. The last number after the dot is being counted upwards. The versions cpg1.4.2 and cpg1.4.20 are not the same, but entirely different animals.
However, mods should work with all minor releases, so your mod should work with all cpg1.4.x releases.
Anyway, we're not fond of mods that contain pre-modded files. We prefer instructions like
Quote
edit filename.php, find foo and replace with bar
Then find
Code: [Select]
blaand insert after it
Code: [Select]
whatever
Only genuine mod files that don't exist in coppermine's core should be added as separate files to a mod zip attachment.
Logged

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1503
  • aka 'i-imagine'
    • Home Page

Hello,
Apologies for my terrible typing and descriptions of my gallery's Coppermine version.
I did make more than one error - the gallery version is actually cpg1.4.20  Also
I have applied the changes (but not yet the complete upgrade) against the milw0rm exploits.
It was interesting to see the bb coded links already on the galleries disappear....

For the future posts I will now also make changes in what I upload to the board.
That zip previously attached will be pared down and resent too.

This Captcha/Recaptcha system seems to work with Registration too.
It is now on here: http://gallery.josephcarver.com/natural/ for temporary testing
and  here http://i-imagine.net/artists/index.php for permanent use
however I need to test it a little more before posting the changes (maybe later today).

Thanks for the input.
i-imagine
(and yes, my typo errors extend to this post too http://forum.coppermine-gallery.net/index.php/topic,58757.0.html where I have left a noscript tag open......it will also be corrected)



« Last Edit: March 29, 2009, 03:58:32 pm by i-imagine »
Logged

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1503
  • aka 'i-imagine'
    • Home Page

AJAX is used to deliver a visual confirmation - reCAPTCHA - for a user to enter before submitting an ecard. This will stop automated bots from sending ecards from your gallery.

The mod. will reverse the code for ecard preview and send. This way the user will not have to solve the captcha to see the ecard preview. Because of this the main code mod. is quite large, but is done with one change.

To use ReCAPTCHA you need you need a public/private API key pair from recaptcha.net [it is a free service]. To see how this works - check this link  http://recaptcha.net/apidocs/captcha/client.html .

    Step 1

      Step 2
      • Modify file template.html
      • Modify file ecard.php

      Quote
      Insert this into the <head> of your template.html file  [/list][/list]
      Code: [Select]
      <script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>

      Quote
      In file ecard.php find the section that starts and ends as shown here
      Code: [Select]
      if (isset($_POST['submit'])) {

      ....CODE
      ....CODE
      ....CODE

      }//preview

      Quote
      Replace everything with this - insert your PRIVATE KEY where shown
      Code: [Select]
      // mod here to reverse preview and post
      if (isset($_POST['preview'])) {

          if ($CONFIG['make_intermediate'] && max($row['pwidth'], $row['pheight']) > $CONFIG['picture_width']) {
              $n_picname = get_pic_url($row, 'normal');
          } else {
              $n_picname = get_pic_url($row, 'fullsize');
          }
          if (!stristr($n_picname, 'http:')) $n_picname = $gallery_url_prefix . $n_picname;
          $msg_content = process_smilies($message, $gallery_url_prefix);
          $data = array(
              'sn' => $_POST['sender_name'],
              'se' => $sender_email,
              'p' => $n_picname,
              'g' => $greetings,
              'm' => $message,
              'pid' => $pid,
              'pt' => $pic_title,
              'pc' => $pic_caption,
              );

          $encoded_data = urlencode(base64_encode(serialize($data)));
          
          $params = array('{LANG_DIR}' => $lang_text_dir,
              '{TITLE}' => sprintf($lang_ecard_php['ecard_title'], $sender_name),
              '{CHARSET}' => $CONFIG['charset'] == 'language file' ? $lang_charset : $CONFIG['charset'],
              '{VIEW_ECARD_TGT}' => "{$gallery_url_prefix}displayecard.php?data=$encoded_data",
              '{VIEW_ECARD_LNK}' => $lang_ecard_php['preview_view_ecard'],
              '{PIC_URL}' => $n_picname,
              '{URL_PREFIX}' => $gallery_url_prefix,
              '{GREETINGS}' => $greetings,
              '{MESSAGE}' => bb_decode($msg_content),
              '{SENDER_EMAIL}' => $sender_email,
              '{SENDER_NAME}' => $sender_name,
              '{VIEW_MORE_TGT}' => $CONFIG['ecards_more_pic_target'],
              '{VIEW_MORE_LNK}' => $lang_ecard_php['view_more_pics'],
              '{PID}' => $pid,
              '{PIC_TITLE}' => $pic_title,
              '{PIC_CAPTION}' => $pic_caption,
              );

         $eccontent = template_eval($template_ecard, $params);
         if (preg_match('#<body[^>]*>(.*)</body>#s', $eccontent, $matches)) {
             $eccontent = $matches[1];
         }
         starttable('100%', $lang_ecard_php['preview']);
         echo '<tr><td>';
         echo $eccontent;
         echo '</td></tr>';
         endtable();
         echo '<br />';
      }//preview

      elseif (isset($_POST['submit'])) {

      require_once('recaptchalib.php');    
      $privatekey = "YOUR_PRIVATE_RECAPTCHA_KEY_BETWEEN_THESE_QUOTES";
      $resp = recaptcha_check_answer ($privatekey,
      $_SERVER["REMOTE_ADDR"],
      $_POST["recaptcha_challenge_field"],
      $_POST["recaptcha_response_field"]);
      if (!$resp->is_valid) {
      cpg_die(CRITICAL_ERROR, 'Sorry, Captcha Error - Go Back and Try Again');
      }

      // Create and send the e-card
      if (count($_POST) > 0 && $valid_sender_email && $valid_recipient_email) {
          $gallery_url_prefix = $CONFIG['ecards_more_pic_target']. (substr($CONFIG['ecards_more_pic_target'], -1) == '/'

      ? '' : '/');
          if ($CONFIG['make_intermediate'] && max($row['pwidth'], $row['pheight']) > $CONFIG['picture_width']) {
              $n_picname = get_pic_url($row, 'normal');
          } else {
              $n_picname = get_pic_url($row, 'fullsize');
          }

          if (!stristr($n_picname, 'http:')) $n_picname = $gallery_url_prefix . $n_picname;

          $msg_content = process_smilies($message, $gallery_url_prefix);

          $data = array('rn' => $_POST['recipient_name'],
              'sn' => $_POST['sender_name'],
              'se' => $sender_email,
              'p' => $n_picname,
              'g' => $greetings,
              'm' => $message,
              'pid' => $pid,
              'pt' => $pic_title,
              'pc' => $pic_caption,
              );

          $encoded_data = urlencode(base64_encode(serialize($data)));

          $params = array('{LANG_DIR}' => $lang_text_dir,
              '{TITLE}' => sprintf($lang_ecard_php['ecard_title'], $sender_name),
              '{CHARSET}' => $CONFIG['charset'] == 'language file' ? $lang_charset : $CONFIG['charset'],
              '{VIEW_ECARD_TGT}' => "{$gallery_url_prefix}displayecard.php?data=$encoded_data",
              '{VIEW_ECARD_LNK}' => $lang_ecard_php['view_ecard'],
              '{VIEW_ECARD_LNK_PLAINTEXT}' => $lang_ecard_php['view_ecard_plaintext'],
              '{PIC_URL}' => $n_picname,
              '{URL_PREFIX}' => $gallery_url_prefix,
              '{GREETINGS}' => $greetings,
              '{MESSAGE}' => bb_decode($msg_content),
              '{PLAINTEXT_MESSAGE}' => $message,
              '{SENDER_EMAIL}' => $sender_email,
              '{SENDER_NAME}' => $sender_name,
              '{VIEW_MORE_TGT}' => $CONFIG['ecards_more_pic_target'],
              '{VIEW_MORE_LNK}' => $lang_ecard_php['view_more_pics'],
              '{PID}' => $pid,
              '{PIC_TITLE}' => $pic_title,
              '{PIC_CAPTION}' => $pic_caption,
              );



                                      $message = template_eval($template_ecard, $params);
                                      $plaintext_message = template_eval($template_ecard_plaintext, $params);

              $tempTime = time();
              $message .= sprintf($lang_ecard_php['ecards_footer'], $sender_name, $_SERVER['REMOTE_ADDR'],

      localised_date(-1,$comment_date_fmt));
                                      $subject = sprintf($lang_ecard_php['ecard_title'], $sender_name);

                                      $result = cpg_mail($recipient_email, $subject, $message, 'text/html',

      $sender_name, $sender_email, $plaintext_message);

              //write ecard log
              if ($CONFIG['log_ecards'] == 1) {
                $result_log = cpg_db_query("INSERT INTO {$CONFIG['TABLE_ECARDS']} (sender_name, sender_email,

      recipient_name, recipient_email, link, date, sender_ip) VALUES ('$sender_name', '$sender_email',

      '$recipient_name', '$recipient_email',   '$encoded_data', '$tempTime', '{$_SERVER["REMOTE_ADDR"]}')");
                }

          if (!USER_ID) {
              $USER['name'] = $sender_name;
              $USER['email'] = $sender_email;
          }

          if ($result) {
              //pageheader($lang_ecard_php['title']);
              msg_box($lang_cpg_die[INFORMATION], $lang_ecard_php['send_success'], $lang_continue,

      "displayimage.php?album=$album&amp;pos=$pos");
                                      echo '<br />';
                                      starttable('100%', $lang_ecard_php['preview']);
                                      echo '<tr><td>';
                                      echo template_eval($template_ecard, $params);
                                      echo '</td></tr>';
                                      endtable();
              pagefooter();
              ob_end_flush();
              exit;
          } else {
              cpg_die(ERROR, $lang_ecard_php['send_failed'], __FILE__, __LINE__);
          }
              }
      }//submit

      Quote
      In file ecard.php find this
      Code: [Select]
      &nbsp;&nbsp;
                              <input type="submit" class="button" name="submit" title="{$lang_ecard_php['submit_button']}"  value="{$lang_ecard_php['submit_button']}" />
                      </td>
              </tr>

      Quote
      Replace it with this - Insert your PUBLIC reCAPTCHA key where shown
      Code: [Select]
      </td></tr><tr>

                      <td colspan="3" align="center" class="tablef"><div><br></div>

      <script>
      function showRecaptcha(element, submitButton, themeName) {
        Recaptcha.create("INSERT YOUR PUBLIC RECAPTCHA KEY BETWEEN THESE QUOTES", element, {
              theme: 'white',
              tabindex: 0,
              callback: Recaptcha.focus_response_field
        });
        hideSubmitButtons();
        document.getElementById(submitButton).style.visibility = "visible";
      }

      function hideSubmitButtons() {
        document.getElementById('submit_button_1').style.visibility = "hidden";
        
      }

      function destroyRecaptchaWidget() {
        hideSubmitButtons();
        Recaptcha.destroy();
      }

      </script>

      <form method="post" action="">

      <p>

      <input type="button" class="button"  value="Click here - type the words - click submit"  

      onclick="showRecaptcha('dynamic_recaptcha_1', 'submit_button_1', 'red');"></input>
      <div id="dynamic_recaptcha_1"></div>

      <input type="submit"  style="visibility: hidden" id="submit_button_1" class="button" name="submit"

      title="{$lang_ecard_php['submit_button']}" value="{$lang_ecard_php['submit_button']}" /></input>

      <div><br></div>
                                  
      <input type="button" class="comment_button" value="Hide the reCAPTCHA widget"  

      onclick="destroyRecaptchaWidget();"></input>

      <br><br>
                      </td>
              </tr>
       

      Upload and you are done. To uninstall - replace ecard.php with a clean copy.

      This style hides the captcha until the user clicks a button. Other styles and language options can be used.

      Testing for your key and validation response can be done by the "hello world" example found on this link here

      I am now running this mod. on my personal photo gallery   with absolutely no spam.
      « Last Edit: June 12, 2009, 04:38:39 pm by i-imagine »
      Logged

      zeppo

      • Coppermine newbie
      • Offline Offline
      • Posts: 17
        • Environmental Cartoons

      Hi Joe,

      Thank you for this great mod. The ecard.php -file has changed a bit with the update to 1.5.12 so it is a bit tricky to find the right places for the modified code.

      Does your mod work also with the current versio?
      Logged

      Joe Carver

      • Dev Team member
      • Coppermine addict
      • ****
      • Country: us
      • Offline Offline
      • Gender: Male
      • Posts: 1503
      • aka 'i-imagine'
        • Home Page

      No it would not work without modification to $GET to Supercage GET and would need some other modifications too.

      I don't have the time to look into it, but it should not be very difficult to do.
      Please post in the cpg 1.5.x boards next time as 1.4.x is no longer supported.

      zeppo

      • Coppermine newbie
      • Offline Offline
      • Posts: 17
        • Environmental Cartoons

      Thanks for a swift reply. Will do that. Looking forward to see 1.5 update for this nice mod some day. =:)
      Logged

      jerrykemic99

      • Coppermine newbie
      • Offline Offline
      • Posts: 4

      Thanks for your information about  ReCaptcha for ecards - easy spambot protection mod and i will be happy if you write in details about it.
      Logged
       *Link Removed*
       *Link Removed*
       *Link Removed*
      Pages: [1]   Go Up
       

      Page created in 0.167 seconds with 22 queries.