Let’s first analyze the process of issuing verification codes
1. Display form
2. Display the verification code (use a program to generate the verification code), encrypt the verification code and put it into session or cookie
3. User submits the form
4. Check that the verification code is correct and the data is legal. The tutorial on writing to the database is completed
If the user posts another one, under normal circumstances, he will visit the form page again, the verification code image will be passively updated, and the session and cookie will also change accordingly
However, the operation of the water filling machine does not necessarily require the use of a form page. It can directly simulate a post to send data to the server program; in this way, the verification code program is not called. Of course, the encrypted verification code stored in the session and cookie is the last value, so there is no Update, so that data can be sent directly through post unlimited times in the future, regardless of the verification code, which is useless!
So, after checking the verification code, first clear the session and cookie values, then make a judgment on the validity of the data, and then store it in the database!
In this way, a loophole has been closed!
if ( md5($_post['vcode']) == $_session['vcode'] ) {
$_session['vcode']='';//This sentence is very important
} else {
exit 'The verification code is incorrect! ';
}
//Next processing
......
?>
A program to generate verification code images
session_start();
......
$v = new authcode();
$vcode = $v->getauthcode();
$_session['vcode'] = md5($vcode );
........
?>
Form page
How the verification code is bypassed