CAPTCHA security validation

Does the validation functionality for CAPTCHA security actually analyze a user's input and crosscheck with the CAPTCHA graphic for accuracy (and also checks the Security Question's answer) or is it simply looking for any type of human input?

Long story short (sort of), I had a simple contact form built with Form Builder 1 for a client's site. It worked perfectly on my testing server and on my client's remote server. Upon hitting the Submit button you were taken to a Thank You page and my client received the HTML email with the user's contact info that was submitted. All working flawlessly. I'm pretty positive that the CAPTCHA's validation gave me a warning when the user's input did not match what was required. Just recently, coincidentally after upgrading to Form Builder 2, my form is suddenly not working in various ways. For instance, I'm seeing the ‘failure error’ in the URL bar after form submission, and no matter what I type into the CAPTCHA fields, it always validates - even intentional, incorrect answers. However, the validation does work properly for name, company, and email fields - you get the expected warnings - in my case, a red message.

So then I built an experimental form from scratch using Form Builder 2 with CAPTCHA and am getting the same bad results as stated above. But, after stripping out all security validation, I finally get the form to submit properly and result in the Thank You page and HTML email. Every form with security validation I now build has absolutely no arguments with the security answers I submit, no matter how incorrect they are, AND I can't get the form to result in a Thank You confirmation page and HTML email. Same failure error in URL bar.

I've checked the server behaviors, and at one point I had a dupe Universal Email behavior, but nothing else seems out of sorts. I've even pulled archived form files from Time Machine (Mac OSX user here) from a time when my client's form was definitely functioning properly, but still the same bad results occur. I've also reinstalled FB2 and tossed the file that's mentioned in other threads when extensions aren't working properly. I'm at a loss. I can post some files when I'm back in my home office, but in the meantime, I'm really curious about an answer to my question in the first paragraph.

Really sorry for the long-winded post. My setup includes Mac, Snow Leopard (latest build), Dreamweaver CS5.

Thanks to all who can help.

It does an actual text comparison to find a match with the CAPTCHA and security question.

However, that validation takes place on the server and not in client side code, for security reasons the answer never appears on the page even in script.

You should see a "Server Validation" server behavior on the form action page before the Universal email. It sounds like server validation isn't working properly, so I'd like to see a sample page that doesn't work to analyze what is going wrong.

Thanks, Ray. I appreciate the quick response.

Both, the contact forms I built for my client and the quick experimental one (zipped files attached) are showing perfectly working server validation on my test server, but NOT on each respective remote server. Keep getting the ‘?invalid=true’ message in URL bar. Two different hosting companies apply here for each form I'm playing with, and both are subscribed to php hosting plans.

Ray,

Attached is the source code for my Client's contact page as well as the Experiment form I'm referencing in the previous post. The client form was created with FB 1 so the Universal Email functionality was added separately afterwards. The Experiment form was created with FB 2. I noticed up top in my Client form source code that there are two references made to the same php file ‘WAVT_Scripts_PHP.php.’ - not sure if that has any bearing on the issue I'm having. And when comparing the two source code blocks, I see the invalid redirect is handled differently - I assume that's a difference between the two versions of FB?

Thanks again.

The code in both of these files appears correct.


the first thing I would like to test is the servers session management.

Download the sessionTest.php file from the following thread and upload it to your server to test session management:
showpost.php?p=23826&postcount=2



If the session test checks OK, find the following code in your page:

if ($WAFV_Errors != "")  {

    PostResult($WAFV_Redirect,$WAFV_Errors,"contact");

  }

and change it to:

if ($WAFV_Errors != "")  {

    die($WAFV_Errors);

    PostResult($WAFV_Redirect,$WAFV_Errors,"contact");

  }

this will help us pinpoint exactly which validation is failing to troubleshoot further.

Jason,

I believe the session test checked out OK. I saw the code you first reference and replaced it with the second block you've included. It's now uploaded.

the session test is failing.

when you click the first link on the session test page, it sets the session variable:
Session Test = test


when you click the second link, this should not change, but it does, it changes to:
Session Test = NULL


This means that the servers session management is not functioning. you will need to contact them to have the problem corrected.


Most likely, it is an issue with the session.save_path setting in the php.ini file, but the host will need to look into the issue to determine the cause.

I see what you're referring to on the live sessionTest.php page. I also uploaded it to the server hosting my experiment form and am getting the same NULL result from the sessionTest. What are the odds that the same problem is occurring at the same exact time with two different hosting companies?

sessionTest.php

sessionTest.php

it's not at all unheard of. but it may not be exactly the same cause in both cases, you will need to contact the host to have them correct the problem.

alright… thanks for all your help.