Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sometimes, the results of getPhrase and inline are partly inconsistent #81

Open
ZhangChengLin opened this issue Apr 26, 2020 · 7 comments

Comments

@ZhangChengLin
Copy link

Why sometimes the characters of getPhrase () and the characters in inline () are inconsistent, not all are wrong, but the case of one of the letters is inconsistent.

E.g:
The image base64 from inline () is processed in the browser, and the result displayed is YF7B
But the result of getPhrase () is Yf7B

why? Is it a browser issue or a code design issue?

@Gregwar
Copy link
Owner

Gregwar commented Apr 26, 2020

Maybe it is because of one of the fonts used here
Actually, I recommend you don't check the user phrase using case sensitive method
The same tolerance can apply for 0/O and 1/l

See:
https://github.com/Gregwar/Captcha/blob/master/src/Gregwar/Captcha/PhraseBuilder.php#L71

@ZhangChengLin
Copy link
Author

Maybe it is because of one of the fonts used here
Actually, I recommend you don't check the user phrase using case sensitive method
The same tolerance can apply for 0/O and 1/l

I want to use session for cookies on the client, and then compare the hash value of the verification code.
Rest assured, the server will still compare again, except that when the normal client judges, there is one less connection request.
So I have to know in advance what exactly it is, and there is a case where the case is not absolutely consistent.

@Gregwar
Copy link
Owner

Gregwar commented Apr 26, 2020

In that case just call doNiceize() before you hash in both generating and checking process and it will result in the same hash

However check the possible combinations, if you have 5 characters 36^5 is around 60M, it is not really hard to brute force this hash

@ZhangChengLin
Copy link
Author

In that case just call doNiceize() before you hash in both generating and checking process and it will result in the same hash

However check the possible combinations, if you have 5 characters 36^5 is around 60M, it is not really hard to brute force this hash

In this way, can the correct capitalization of letters be displayed in the picture?

The client enters five letters, the same md5 processing is performed on the client, and then the string value is compared. As for the number of characters you say, if you say too little, then execute 1000 times? Is it okay?

@Gregwar
Copy link
Owner

Gregwar commented Apr 27, 2020

Actually, injecting a secret salt before hashing is also a solution

<?php
$salt = 'SomethingSecret';
$hash = sha1($salt.$phrase);

@ZhangChengLin
Copy link
Author

Actually, injecting a secret salt before hashing is also a solution

<?php
$salt = 'SomethingSecret';
$hash = sha1($salt.$phrase);

Off the topic, how to ensure that the case of the characters in the picture is consistent with the phrase.

@ZhangChengLin
Copy link
Author

{7F7992EA-F488-4974-AFA5-0BE7746214CB}_20200426212628

{9FE8CA86-94ED-4422-8621-B2B9832E8877}_20200426212843

{F99303BF-2208-467A-99C3-DC6FF0573B19}_20200428081841

{F9AF0748-C3D8-4C0F-B882-6BF5C5EC753D}_20200428081900

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants