Check for captcha infidelity is as follows:

if($_POST['captcha_code'] != $_SESSION['csession_code']) { echo 'Неверный код безопасности'; }

All is well. But the problem is, for example, if you send a direct PHP request to my site from another site, then the captcha will easily manage, as with a direct request from another site the session is not seen . It turns out something like this when sending a request from another site:

''! = ''

How to solve this problem?

  • one
    Well, check if the session exists. What is the problem? - lampa
  • @lampa made a check. And if someone supposes wants to send a direct request, and there will be a security code. Can it pass the parameter and pass? After all sessions like are not caught ... - Moda

2 answers 2

 if($_POST['captcha_code'] != $_SESSION['csession_code'] && !empty($_POST['captcha_code'])
  • one
    swap the condition and add isset ($ _ SESSION ['csession_code']) to the beginning, otherwise it will be notify - zb '
 if(isset($_SESSION['csession_code'])) if(!($_POST['captcha_code'] == $_SESSION['csession_code'])) echo 'Неверный код безопасности';
  • @Node_pro, and if there is no session, then it will not request a captcha. Already. - ModaL