JimmY_BL Posted November 13, 2010 Share Posted November 13, 2010 Hi guys, i found simple php script which allow all visitors of my web site to create free email address thru my webmail service (like yahoo,hotmail,gmail,etc) and it works great, but in last month stupid bots created lots of funny user accounts and sending SPAM emails Signup script is one file (signup.php) doing all the stuff i need (registration form,lost passwords form,etc). Now i want to put captcha code into signup.php to have captcha image cheking to prevent bots from creating more user accounts ... i`m not a php programer but i know how to change some things, but not all Signup scripts is free, so i will post it here that you can help me with this (it does not have my mysql and other information,because of security issue) - i will be happy if some of you guys put all the code i need for captcha to work with signup.php script Here is the signup.php script: <?php // HMailServer New user signup Script Configuration $dbhost = "localhost"; // host of the MySQL database $dbuser = "root"; // Database username $dbpassword = ""; // Your database password $dbname = "hmail"; // the name of the database that has the hmailserver tables $webmailurl = "http://www.yurdomainname.com/webmail/login.php"; // The url to login in the webbased mail system $quota = "50"; // The mailbox free space if (strlen($_POST["pas1"]) <= 4 && IsSet($_POST["pas1"])) { $error .= "<centeR>Error: Your password must be longer than 4 characters</center>"; } else if ($_POST["pas1"] == "12345" && IsSet($_POST["pas1"])) { $error .= "<centeR>Error: Too simple password</center>"; } // Get the action if (IsSet($_POST["action"])) { $action = $_POST["action"]; } else { $action = $_GET["action"]; } // A function to check addresses, probably i will have to use it later. function normalmail($visitormail) { if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,"."))) { return FALSE; } else { return TRUE; } } // If there is no action, open the page for a new registration if (!IsSet($action)) { // Load the domain names and their ids into a variable $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_domains WHERE domainactive = '1' ", $db); $domains = "<select name=\"domain\">"; while ($row = mysql_fetch_array($result)) { $domainid = $row['domainid']; $domainname = $row['domainname']; $domains .= "\n<option value=\"$domainid\">$domainname</option>"; } $domains .= "\n</select>"; mysql_close(); echo " <center><b>Open a new E-Mail Account</b> <p> (*) fields are reguired.<br> <form action=\"\" name=\"registration\" method=\"post\"> <table border=\"0\"> <tr> <td>* Username: <td><input type=\"text\" name=\"username\">@<td>$domains<tr> <td>* First name: <td><input type=\"text\" name=\"firstname\"><td><tr> <td>* Last name: <td><input type=\"text\" name=\"lastname\"><td><tr> <td>* Password: <td><input type=\"password\" name=\"pas1\"><Td><tr> <td>* Password again: <td><input type=\"password\" name=\"pas2\"><Td><tr> <td>Old email Address: <td><input type=\"text\" name=\"oldmail\"><td>(in case you forgot your password)<tr> <td>* Secret question: <td><input type=\"text\" name=\"squestion\"><td><tr> <td>* Secret answere: <td><input type=\"text\" name=\"sanswere\"><td><tr> <td><td> <input type=\"hidden\" name=\"action\" value=\"register\"> <input type=\"Submit\" value=\"Signup\"><td><tr></td></tr></table></table> "; } else if ($action == "register") { // Load the variables from the posting $domainid = $_POST["domain"]; $username = $_POST["username"]; $pas1 = $_POST["pas1"]; $pas2 = $_POST["pas2"]; $firstname = $_POST["firstname"]; $lastname = $_POST["lastname"]; $squestion = $_POST["squestion"]; $sanswere = $_POST["sanswere"]; $oldmail = $_POST["oldmail"]; // Do all the checks if ($oldmail != NULL && normalmail($oldmail) == FALSE) { $error .= "Error: Please enter a valid email address\n<br>"; } if ($squestion == NULL) { $error .= "Error: You have to enter your secret question\n<br>"; } if ($sanswere == NULL) { $error .= "Error: You have to enter your secret aswere\n<br>"; } if ($username == NULL) { $error .= "Error: You have to enter your desired username\n<br>"; } if ($domainid == NULL) { $error .= "Error: You have to choose a domain\n<Br>"; } if ($pas1 == NULL) { $error .= "Error: You have to enter your password\n<Br>"; } if ($pas1 != $pas2) { $error .= "Error: Your passwords does not match\n<Br>"; } if ($firstname == NULL) { $error .= "Error: You have to enter your first name\n<Br>"; } if ($lastname == NULL) { $error .= "Error: You have to enter your last name\n<Br>"; } //Check if the user exists for that domain $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_domains WHERE domainid = '$domainid' ", $db); $result = @mysql_fetch_array($result); $address = $username . "@" . $result['domainname']; $result = mysql_query("SELECT * FROM hm_accounts WHERE accountaddress = '$address' ", $db); $result = @mysql_fetch_array($result); if ($result['accountid'] != "") { $error .= "Error: The E-Mail address $address is already registered, please coose another username or domain\n<Br>"; mysql_close(); } if (IsSet($error)) { echo "<Center>Oops, There was some errors, please submit the form again<br>"; echo $error; } else { // Insert the new user infos into the database $passwd = md5($pas1); $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $query = "INSERT INTO hm_accounts (accountaddress, accountdomainid, accountadminlevel, accountpassword, accountactive, accountisad, accountmaxsize, accountpwencryption, accountvacationmessageon, accountoldaddress, accountfirstname, accountlastname, accountsecretque, accountsecretans) VALUES ('$address','$domainid','0','$passwd','1','0','$quota','2','0','$oldmail','$firstname','$lastname','$squestion','$sanswere')"; mysql_query($query) or die("Error: Can not query to the database"); mysql_close(); echo "<center><B>Completed!</b> <br><br> You have created an email account with us! you can use the E-Mail services eather by pop3/imap or by using the webmail system. <p>Please <A href=\"$webmailurl\">Login</a> to read or to send emails <p>Thank you $firstname $lastname for joining us"; } } else if ($action == "install") { $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); mysql_query("ALTER TABLE `hm_accounts` ADD `accountoldaddress` VARCHAR(50) NOT NULL"); mysql_query("ALTER TABLE `hm_accounts` ADD `accountfirstname` VARCHAR(50) NOT NULL"); mysql_query("ALTER TABLE `hm_accounts` ADD `accountlastname` VARCHAR(50) NOT NULL"); mysql_query("ALTER TABLE `hm_accounts` ADD `accountsecretque` VARCHAR(120) NOT NULL"); mysql_query("ALTER TABLE `hm_accounts` ADD `accountsecretans` VARCHAR(120) NOT NULL"); mysql_query("ALTER TABLE `hm_accounts` ADD `accounttmpverify` VARCHAR(120) NOT NULL"); mysql_close(); Echo "The script is istalled successfuly"; } // If the user forgot his password, this is the page to recover it. else if ($action == "forgotpass") { echo "<Center><b>Welcome to the password recovery page</b> <br><br> This page will help you to recover your lost password, if you had filled the oldmail at the registration time You will be able to recover it by using the oldmail method, else you will have to use the secret question method"; echo "<br><br><center> <table border=1 cellspacing=0 cellpadding=0> <tr><td><center>Old Email Method<tr><td> <form name=\"forgot\" action=\"\" method=\"post\"> <table border=0><tr><td> Old email<td><input type=\"text\" name=\"oldemail\"><tr> <td>Your email with us in form of (username@domain.tld) <td><input type=\"text\" name=\"current\"><tr> <input type=\"hidden\" name=\"action\" value=\"fpassoldemail\"> <td><td><input type=\"submit\" value=\"Send me Recovery code\"></tr></td> </form></td></tr></table></table> <center><p> <table border=1 cellspacing=0 cellpadding=0> <tr><td><center>Secret Question Method<tr><td> <form name=\"forgot\" action=\"\" method=\"post\"> <table border=0> <tr><td>Frist name<td><input type=\"text\" name=\"firstname\"><tr> <tr><td>Last name<td><input type=\"text\" name=\"lastname\"><tr> <td>Your email with us in form of (username@domain.tld) <td><input type=\"text\" name=\"current\"><tr> <input type=\"hidden\" name=\"action\" value=\"fpassgetquestion\"> <td><td><input type=\"submit\" value=\"Submit\"></tr></td> </form></td></tr></table></table></center>"; } // if the user submited data for the secret question method, // load the variables, and do the checks else if ($action == "fpassgetquestion") { $username = $_POST["current"]; $firstname = $_POST["firstname"]; $lastname = $_POST["lastname"]; if (normalmail($username) == FALSE) { $error .= "Error: Please enter a valid ID in form of email address\n<br>"; } if ($username == NULL) { $error .= "Error: You have to enter your current ID (in form of username@domain.ltd)\n<br>"; } if ($firstname == NULL) { $error .= "Error: You have to enter your first name\n<Br>"; } if ($lastname == NULL) { $error .= "Error: You have to enter your last name\n<Br>"; } if (IsSet($error)) { echo "<Center>Oops, There was some errors, please submit the form again<br>"; echo $error; //else do the rest of the checks } else { $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_accounts WHERE accountaddress = '$username' ", $db); $result = @mysql_fetch_array($result); $questi = $result['accountsecretque']; echo "<center><b>Please answere your secret question: $questi </b>"; echo "<p><form name=\"forgot\" action=\"\" method=\"post\"> <table border=0> <input type=\"hidden\" value=\"$firstname\" name=\"firstname\"> <input type=\"hidden\" value=\"$lastname\" name=\"lastname\"> <input type=\"hidden\" value=\"$questi\" name=\"squestion\"> <input type=\"hidden\" value=\"$username\" name=\"current\"> <td>Answere: <td><input type=\"text\" name=\"sanswere\"><tr> <input type=\"hidden\" name=\"action\" value=\"fpassquestion\"> <td><td><input type=\"submit\" value=\"Submit\"></tr></td> </form></td></tr></table></table></center>"; } } else if ($action == "fpassquestion") { $username = $_POST["current"]; $firstname = $_POST["firstname"]; $lastname = $_POST["lastname"]; $squestion = $_POST["squestion"]; $sanswere = $_POST["sanswere"]; // Do all the checks if (normalmail($username) == FALSE) { $error .= "Error: Please enter a valid ID in form of email address\n<br>"; } if ($squestion == NULL) { $error .= "Error: You have to enter your secret question\n<br>"; } if ($sanswere == NULL) { $error .= "Error: You have to enter your secret aswere\n<br>"; } if ($username == NULL) { $error .= "Error: You have to enter your current ID (in form of username@domain.ltd)\n<br>"; } if ($firstname == NULL) { $error .= "Error: You have to enter your first name\n<Br>"; } if ($lastname == NULL) { $error .= "Error: You have to enter your last name\n<Br>"; } // If there was error, stop if (IsSet($error)) { echo "<Center>Oops, There was some errors, please submit the form again<br>"; echo $error; //else do the rest of the checks } else { $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_accounts WHERE accountaddress = '$username' ", $db); $result = @mysql_fetch_array($result); // check if the information does match with the stored data if ( $result['accountlastname'] == NULL || $result['accountfirstname'] == NULL || $result['accountsecretque'] == NULL || $result['accountsecretans'] == NULL) { die("Error: Cant find infos in database for $username"); mysql_close(); } if (strtolower($result['accountlastname']) == strtolower($lastname) && strtolower($result['accountfirstname']) == strtolower($firstname) && strtolower($result['accountsecretque']) == strtolower($squestion) && strtolower($result['accountsecretans']) == strtolower($sanswere)) { echo "<b><center>Your info does match, please enter a new password for $username bellow</b>"; echo "<p><br><center> <table><tr><td> <center>Change password for $username<tr><Td> <center><table> <form name=\"forgot\" action=\"\" method=\"post\"> <tr><Td>Enter new password<td><input type=\"password\" name=\"pas1\"><Tr> <Td>Verify password<td><input type=\"password\" name=\"pas2\"><Tr> <input type=\"hidden\" value=\"$firstname\" name=\"firstname\"> <input type=\"hidden\" value=\"$lastname\" name=\"lastname\"> <input type=\"hidden\" value=\"$squestion\" name=\"squestion\"> <input type=\"hidden\" value=\"$sanswere\" name=\"sanswere\"> <input type=\"hidden\" value=\"$username\" name=\"current\"> <input type=\"hidden\" value=\"forgpassquepro\" name=\"action\"> <Td><td><input type=\"submit\" value=\"Change it\"></Tr></table></table></form></center>"; } else { echo "<b><center>Your info does NOT match</b><p> Your data does not match with the stored informations of $username, please enter the exact info"; } } } else if ($action == "forgpassquepro") { $username = $_POST["current"]; $firstname = $_POST["firstname"]; $lastname = $_POST["lastname"]; $squestion = $_POST["squestion"]; $sanswere = $_POST["sanswere"]; $newpassword = $_POST["pas1"]; $newpassword = md5($newpassword); if (normalmail($username) == FALSE) { die("Error"); } $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_accounts WHERE accountaddress = '$username' ", $db); $result = @mysql_fetch_array($result); // check if the information does match with the stored data if ( $result['accountlastname'] == NULL || $result['accountfirstname'] == NULL || $result['accountsecretque'] == NULL || $result['accountsecretans'] == NULL) { die("Error: Cant find infos in database for $username"); mysql_close(); } if ($_POST["pas1"] != $_POST["pas2"]) { $error = "<center><B>Your passwords does not match, please submit the form again</b></centeR>"; } if ($error != NULL) { echo $error; } else { if (strtolower($result['accountlastname']) == strtolower($lastname) && strtolower($result['accountfirstname']) == strtolower($firstname) && strtolower($result['accountsecretque']) == strtolower($squestion) && strtolower($result['accountsecretans']) == strtolower($sanswere)) { $accountid = $result['accountid']; //ok change the password $query = "UPDATE hm_accounts SET accountpassword = '$newpassword' WHERE accountid = '$accountid'"; mysql_query($query); echo "<center><b>Ok Your password has changed, sign in now with your new password, and your ID $username</b></center>"; mysql_close(); } } } // forgot password, old email method. else if ($action == "fpassoldemail") { $username = $_POST["current"]; $oldmail = $_POST["oldemail"]; // Do all the checks if (normalmail($username) == FALSE) { $error .= "Error: Please enter a valid ID in form of email address\n<br>"; } if (normalmail($oldmail) == FALSE) { $error .= "Error: Please enter a valid email address\n<br>"; } $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_accounts WHERE accountaddress = '$username'", $db); $result = @mysql_fetch_array($result); $accountid = $result['accountid']; if ($result['accountoldaddress'] == NULL) { $error .= "Error: Missing infos in the database for $username <Br>"; } if ($result['accountoldaddress'] != $oldmail) { $error .= "Error: The address $oldmail does not match with the old address of $username <Br>"; } if ($error != NULL) { echo "<Center>Oops, There was some errors, please submit the form again<br>"; echo $error; mysql_close(); } else { // in that case somehow we have to generate a random code for($x=0;$x<10;$x++) { $y = rand(0,61); $z .= $y + (($y<10) ? 48 : (($y<20) ? 21 : 10)); } $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $query = "UPDATE hm_accounts SET accounttmpverify = '$z' WHERE accountid = '$accountid'"; mysql_query($query); mysql_close(); $body = " The user account $username has this email associated with it. A Web user from " . $_SERVER['REMOTE_ADDR'] . " has just requested a Confirmation Code to change the password. Your Confirmation Code is: $z With this code you can now assign a new password at http://" . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'] . "?action=fpassconfirm&addr=$username&code=$z If you cant click in the link, copy paste the URL into your browser. If you didn't asked for this, don't worry. Just delete this Email."; $body = wordwrap($body, 70); $subject = "Lost password: confirmation code"; $headers=""; $headers = 'From: ' . $username; if (mail($oldmail, $subject, $body, $headers)) { echo "<b>Message successfully sent!</b> <p>Please read the email in your old address $oldmail to get the verification code and reset your password <p>Your IP address is loged for security reasons."; } else { echo "<b>Message delivery failed!</b>"; } } } else if ($action == "fpassconfirm") { $code = $_POST["code"]; $username = $_POST["addr"]; if (!IsSet($code)) { $code = $_GET["code"]; } if (!IsSet($username)) { $username = $_GET["addr"]; } $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_accounts WHERE accountaddress = '$username' ", $db); $result = @mysql_fetch_array($result); if ($username == NULL || normalmail($username) == FALSE) { $error .= "Error: Please enter your E-mail address in the correct form<Br>"; } if ($code == NULL) { $error .= "Error: Please enter the confirmation code<br>"; } if ($result['accounttmpverify'] != $code) { $error .= "Error: You entered an invalid confirmation code. <Br>"; } if ($error != NULL) { echo "<Center>Oops, There was some errors, please submit the form again<br>"; echo $error; echo "<br><br> <form name=\"forgot\" action=\"\" method=\"post\"> <center> <table><tr> <Td>E-Mail address<td><input name=\"addr\" type=\"text\"> <tr><td>Code<td><input name=\"code\" type=\"text\"><tr> <input type=\"hidden\" value=\"fpassconfirm\" name=\"action\"> <td><td><input type=\"submit\" value=\"Submit\"></tr> </td></table></table></form></centeR> "; mysql_close(); } else { echo "<b><center>Confirmation code is valid, Please enter your new password bellow</b>"; echo "<p><br> <center><table><tr><Td> Change password for $username<tr><Td> <table><tr> <form name=\"forgot\" action=\"\" method=\"post\"> <Td>Enter new password<td><input type=\"password\" name=\"pas1\"> <Tr><Td>Verify password<td><input type=\"password\" name=\"pas2\"><Tr> <input type=\"hidden\" value=\"$code\" name=\"code\"> <input type=\"hidden\" value=\"$username\" name=\"addr\"> <input type=\"hidden\" value=\"forgpasscodepro\" name=\"action\"> <Td><td><input type=\"submit\" value=\"Change it\"></Tr></table></table></form>"; mysql_close(); } } // ok lets check the code again, and change the password. else if ($action = "forgpasscodepro") { $code = $_POST["code"]; $username = $_POST["addr"]; $newpassword = $_POST["pas1"]; $newpassword = md5($newpassword); $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbname); $result = mysql_query("SELECT * FROM hm_accounts WHERE accountaddress = '$username' ", $db); $result = @mysql_fetch_array($result); $accountid = $result['accountid']; if ($username == NULL || normalmail($username) == FALSE) { $error .= "Error: Please enter your E-mail address in the correct form<Br>"; } if ($code == NULL) { $error .= "Error: Please enter the confirmation code<br>"; } if ($result['accounttmpverify'] != $code) { $error .= "Error: You entered an invalid confirmation code. <Br>"; } if ($_POST["pas1"] != $_POST["pas2"]) { $error .= "Error: Passwords does not match. <Br>"; } if ($error != NULL) { echo $error; } else { $query = "UPDATE hm_accounts SET accountpassword = '$newpassword' WHERE accountid = '$accountid'"; mysql_query($query); echo "<b>Your password has changed!</B><br><br> now you can sign in with your new password and your ID $username"; mysql_close(); } } echo "<center><p><em><font size=\"2\">Powered by <a target=\"hmail\" href=\"http://www.hmailserver.com\">HMailServer</a> @ All rights reserved</em></font></centeR>"; ?> Tnx Quote Link to comment Share on other sites More sharing options...
JimmY_BL Posted November 17, 2010 Author Share Posted November 17, 2010 nobody knows how to help me or just dont want to help me ??? i already have 200 new users accounts on my mail server ... and i`m tired deleting them every day ... :'( Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted November 17, 2010 Share Posted November 17, 2010 there are many sources for this information http://www.google.com/search?client=safari&rls=en&q=php+captcha&ie=UTF-8&oe=UTF-8 Quote Link to comment Share on other sites More sharing options...
JimmY_BL Posted November 17, 2010 Author Share Posted November 17, 2010 yes, i know that there is many sources for captcha (i use google every day for 1000 times) ... but when i follow the guides and try to put captcha into my script, it`s not working ... they have instructions on putting captcha code into the contact or feedback scripts ... but not with already made-working scripts Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted November 17, 2010 Share Posted November 17, 2010 what do you mean "it's not working"? can you post your code with captcha so we can help troubleshoot? Quote Link to comment Share on other sites More sharing options...
JonnoTheDev Posted November 17, 2010 Share Posted November 17, 2010 Just use recaptcha. Its easy to implement. Requires you to add about 1 line of code which is well documented, so you do not need any experience with php. Just look at the examples on the site. http://www.google.com/recaptcha Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.