Help with comment form and captcha

Hi,
I have this customer comment form with captcha. It allows people to comment on specific pages in my website. The trouble is right now if you post without a name or email address, it allows the post to continue. I need to create a subroutine where there outputs an error with the post and shows the inputs as well so they can correct and then submit. Here’s the code (I will also include the png image so you can download and use on your site if you want ) :

captcha.php



<?php
session_start();

// Generate a Random String, Based On Time
$md5 = md5(microtime() * mktime());

 //We don't need a 32 character long string, let's trim it
 $string = substr($md5,0,5);

// Use GD Library to make a PNG from a file
$captcha = imagecreatefrompng("captcha.png");

// Set colors of lines with RGB colors
$black = imagecolorallocate($captcha, 0, 0, 0);

$line = imagecolorallocate($captcha,233,239,239);

// The following creates random lines to help throw off a spam robot's ability to guess the string

imageline($captcha,0,10,50,16,$black);
imageline($captcha,40,11,64,29,$black);

imageline($captcha,0,60,90,0,$black);

//Write the string to the image

imagestring($captcha, 5, 20, 10, $string, $black);

// Use MD5 encryption on the key, and store it for a comparison test later

$_SESSION['key'] = md5($string);

// Print out the image
header("Content-type: image/png");

imagepng($captcha);
?>


comment.php



&lt;?php
    session_start();
    if ($_POST['form_submitted'] != '1') {
?&gt;


&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;
&lt;html&gt;
&lt;head&gt;

&lt;title&gt;Customer Comments&lt;/title&gt;
&lt;/head&gt;

&lt;body&gt;
&lt;div style="width:650px;border-left:1px solid black;border-right:1px solid gray;margin:0px auto;overflow:hidden;"&gt;

  &lt;p style="background-color:#1c5665;color:white;padding:5px;text-align:center;margin-top:0px;"&gt;Customer Comments!&lt;br /&gt;Your email address will not be listed. It is for my newsletter which will only be sent out once or twice per month.&lt;/p&gt;
    &lt;p style="background-color:#1c5665;color:white;padding:5px;text-align:center;margin-top:0px;"&gt;Please don't use html in the comment box. It will remove all html and look really ugly.&lt;/p&gt;
  &lt;div style="float:left;width:214px;border-right:1px solid gray;padding:5px;background-color:#f6f8f9;height:100%;"&gt;
    &lt;form method="post"&gt;

    &lt;p align="right" style="padding:5px;"&gt;Name:&lt;/p&gt;
    &lt;p align="right" style="padding:5px;"&gt;Email Address:&lt;/p&gt;
    &lt;p align="right" style="padding:5px;"&gt;Comment/Suggestion:&lt;/p&gt;

  &lt;/div&gt;

  &lt;div style="float:left;width:415px;padding:5px;"&gt;
    &lt;p&gt;&lt;input type="text" name="name" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"&gt;&lt;/p&gt;
    &lt;p&gt;&lt;input type="text" name="email" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"&gt;&lt;/p&gt;

    &lt;p&gt;&lt;textarea cols="40" name="comment" rows="4" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"&gt;&lt;/textarea&gt;&lt;/p&gt;
  &lt;/div&gt;

  &lt;div style="clear:both;"&gt;&nbsp;&lt;/div&gt;

  &lt;hr style="color:gray" /&gt;

  &lt;div style="width:325px; border:1px solid black;margin:0px auto;text-align:center;"&gt;
    &lt;p&gt;&lt;img src="captcha.php" /&gt;&lt;/p&gt;

      &lt;div style="margin-top:-15px;"&gt;
        Please enter the image text:
      &lt;/div&gt;
      &lt;div style="margin-top:-3px;margin-bottom: 4px;"&gt;
        &lt;input type="text" name="code" style="border:1px solid #1c5665;padding:3px;margin-top:5px;"&gt;

      &lt;/div&gt;
      &lt;input type="submit" value="Submit Form" /&gt;
      &lt;input type="hidden" name="form_submitted" value="1"/&gt;
      &lt;/form&gt;
  &lt;/div&gt;

  &lt;div style="width:650px;height:10px;background-color:#1c5665;"&gt;&nbsp&lt;/div&gt;

&lt;?php } else if ($_POST[form_submitted] == 1) { ?&gt;

&lt;?php
//Encrypt the posted code field and then compare with the stored key

if(md5($_POST['code']) != $_SESSION['key'])

{
  echo "It seems you entered an invalid Captcha key. Please go back and try again.";

}else{
session_unset();
session_destroy();
// Send


$name = addslashes($_POST['name']);
$comment = addslashes($_POST['comment']);
$email = addslashes($_POST['email']);

$comment = ereg_replace('&', '&amp;', $comment);
$comment = ereg_replace('"', '&quot;', $comment);
$comment = ereg_replace('&lt;a href', 'NO', $comment);
$comment = ereg_replace('&gt;', 'NO', $comment);
$comment = ereg_replace('&lt;/a&gt;', 'NO', $comment);

$comment = ereg_replace('INSERT', 'NO', $comment);
$comment = ereg_replace('DELETE', 'NO', $comment);


$name = ereg_replace('INSERT', 'NO', $name);
$name = ereg_replace('DELETE', 'NO', $name);

$email = ereg_replace('INSERT', 'NO', $email);
$email = ereg_replace('DELETE', 'NO', $email);

                    $docroot = $_SERVER['DOCUMENT_ROOT'];
                    include("$docroot/includes/db2.inc.php");

                    $tablename = "BIKER_comments";
                    
                    $date = date("F j, Y, G:i:s");
                    $thispage = $_GET['page'];

                    $sql="INSERT INTO `$tablename` (name, comment, email, date, thispage) VALUES ('$name', '$comment', '$email', '$date', '$thispage')";

                    if (!mysql_query($sql,$dbh)) {
                      die('Error: ' . mysql_error());
                    }
                    echo "&lt;html&gt;&lt;body style='background-color:#ececec;'&gt;&lt;div style='width:300px;border:1px dashed black;text-align:center;margin:0px auto;margin-top:200px;padding:20px;font-size:20px;background-color:white;'&gt;Your comment has been submitted! Thanks!&lt;/div&gt;";


}

?&gt;
&lt;FORM&gt;
&lt;INPUT type="button" value="Close Window" onClick="window.close()"&gt;
&lt;/FORM&gt; 
&lt;?php }  

?&gt;

&lt;/div&gt;
&lt;/body&gt;

&lt;/html&gt;


the db2.inc.php file is simply:



&lt;?php

    $username = "username";
    $password = "password";
    $hostname = "localhost";    
    $dbh = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
    $selected = mysql_select_db("databasename",$dbh) or die("Could not select database");


?&gt;


This does work awesome right now, I would like to just make the name and email required to post.

Thanks,
Kevin

Hi!
I fixed the problem.

Here is the fix:


if ((md5($_POST['code']) != $_SESSION['key']) OR (empty($_POST['name'])) OR (empty($_POST['email']))) {

echo "It seems you entered an invalid Captcha key, email or name. Please go back and try again.";

}

Thanks!!