CAPTCHA Helper Flawed? - Printable Version

CAPTCHA Helper Flawed? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: CAPTCHA Helper Flawed? (/showthread.php?tid=53217)

CAPTCHA Helper Flawed? - El Forum - 07-15-2012

[eluser]Unknown[/eluser]
I'm using the CAPTCHA helper with a database backend to help verify CAPTCHA's. However, it seems that I've come across a bit of a flaw with the example code. The code for checking if a user-supplied CAPTCHA matches the CAPTCHA displayed is:

Code:
$expiration = time()-7200; // Two hour limit

$this->db->query("DELETE FROM captcha WHERE captcha_time < ".$expiration); 

// Then see if a captcha exists:

$sql = "SELECT COUNT(*) AS count FROM captcha WHERE word = ? AND ip_address = ? AND captcha_time > ?";

$binds = array($_POST['captcha'], $this->input->ip_address(), $expiration);

$query = $this->db->query($sql, $binds);

Now this will certainly work, however it will also work if the user enters a previous CAPTCHA within the expiration limit. Now you're probably saying, well it's not like the user will remember any of the prior CAPTCHAs, and you're probably right. However, if the user pushes the back button on a form which was just successfully submited and the form is pre-populated with the data they just entered, the CAPTCHA text-box will contain a previous value, making the above SQL valid and it will allow them to submit the form again.

So my question is, does it make sense to add logic to delete a CAPTCHA after you check if it's valid? Or should something be done to clear the form after it's been successfully submitted so when the user browses backwards, they get an empty form?