From 72dd599070900fabb1e1501a7b39067703acec35 Mon Sep 17 00:00:00 2001 From: "ctrlaltca@gmail.com" <> Date: Sun, 2 Oct 2011 21:13:53 +0000 Subject: Added TReCaptcha control (ticket #345) and added a notice about the lack of security of TCaptcha (ticket #344) --- framework/Web/UI/WebControls/TCaptchaValidator.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'framework/Web/UI/WebControls/TCaptchaValidator.php') diff --git a/framework/Web/UI/WebControls/TCaptchaValidator.php b/framework/Web/UI/WebControls/TCaptchaValidator.php index 7854b639..b01cd786 100644 --- a/framework/Web/UI/WebControls/TCaptchaValidator.php +++ b/framework/Web/UI/WebControls/TCaptchaValidator.php @@ -4,7 +4,7 @@ * * @author Qiang Xue * @link http://www.pradosoft.com/ - * @copyright Copyright © 2005-2011 PradoSoft + * @copyright Copyright © 2005-2011 PradoSoft * @license http://www.pradosoft.com/license/ * @version $Id$ * @package System.Web.UI.WebControls @@ -16,6 +16,10 @@ Prado::using('System.Web.UI.WebControls.TCaptcha'); /** * TCaptchaValidator class * + * Notice: while this class is easy to use and implement, it does not provide full security. + * In fact, it's easy to bypass the checks reusing old, already-validated tokens (reply attack). + * A better alternative is provided by {@link TReCaptchaValidator}. + * * TCaptchaValidator validates user input against a CAPTCHA represented by * a {@link TCaptcha} control. The input control fails validation if its value * is not the same as the token displayed in CAPTCHA. Note, if the user does -- cgit v1.2.3