PHP Captchas

[limitphp]

I have seen some pre-built modules on the net.

Are they easy to build on your own?

Is there a way to do a simple one thats secure and not an image?

Can you do one with just text?

[flyhoney]

You should start by typing all 3 of those questions in to google.

 

</obligatory>

 

This is perhaps the most popular captcha system: http://recaptcha.net/

[MadnessRed]

if you want to build your own it is very simple.

 

1) Create a random string.

$string = mt_rand(0,9).mt_rand(0,9).mt_rand(0,9).mt_rand(0,9);

 

2) Declare that string in a session.

$_SESSION['captcha'] = $string;

 

3) Use GD to create a catchpa img.

// Create an image bg of captcha.png
$im = ImageCreateFromPNG('captcha.png');

//Define black
$black = imagecolorallocate($im, 0, 0, 0);

// Path to our font file
$font = './arial.ttf';

// Write it
imagettftext($im, 10, 0, 0, 10, $black, $font, $_SESSION['captcha']);

// Output to browser
header('Content-type: image/png');

imagepng($im);
imagedestroy($im);

 

requires you to have arial.ttf and catchpa.png in the same folder.

[Mchl]

Very simple and quite secure without using images could be one that asks for a solution of mathematical equation, e.g.:

2*(2+7)= ?

 

Or even:

What day was yesterday?

(although this would need some datapicker widget, because people might want to type in '5.10.08', 'Wednesday', 'horrbile' etc )

 

[MadnessRed]

you could do that, set an array up

 

$cats = array(

'1+1=' = > '2',

'The day after Tuesday us' = > 'Wednesday',

'Another question' => 'Another Answer');

 

Then just do

 

if($_POST['cat_ans'] == $cats[$_POST['cat_qu']]){

  some code

}

[Mchl]

Or:

[PFMaBiSmAd]

Math question captchas can be answered by simply passing the string through an eval() statement and should not be used -

 

$string = "2*(2+7)";
eval("\$answer = $string;");
echo $answer;

Gives 18

 

Computers solve math problems and do things like find/replace, copy/replace all day long. Text based questions should require human reasoning to solve them.

[Mchl]

How about: 'two times fourteen is:' ?

[harristweed]

I use a different method that seems to work. To stop botts sending forms, I have (for example) an email form field called antibott. So the variable $antibott hold the users email. I also have a form text field called 'email'. This is in a separate div Using CSS I make this div invisible so humans can't see it!. Therefore if the variable $email is NOT empty the form was filled in by a bott and the form redirects to a page that only botts see!

[dezkit]

Or:

 

haha,

[PFMaBiSmAd]

How about: 'two times fourteen is:' ?

A simple string replace using an array to replace the word form of numbers with the number and things like "time"/"times" with "*" will allow any "understandable" math question to be parsed -

 

<?php
$search_arr = array('two','fourteen','times'); // ... array of common word forms
$replace_arr = array('2','14','*'); // ... array of equivalent values

$string = 'two times fourteen';
$string = str_ireplace($search_arr, $replace_arr, $string);
eval("\$answer = $string;");
echo $answer;
?>

Any words or symbols that are not in either array would simply be removed from the string. This would remove the "is:" part of the question.

[limitphp]

I guess any question that is readable on screen is readable by a bot and can be program to be solved, whether its text, numbers, anything.

 

*You will have to have a limited amount of questions if its non-math, and so all answers could be programed.

 

*All math questions, regardless of text or in umber form can be programmed to be solved.

 

I like the invisible form idea.  Check to see if a bot filled it out.  Although, eventually, I'm sure that can be programmed for as well.

 

So, images work, because there is no way for a bot to figure out what is on that image?

 

 

[limitphp]

if you want to build your own it is very simple.

 

1) Create a random string.

$string = mt_rand(0,9).mt_rand(0,9).mt_rand(0,9).mt_rand(0,9);

 

2) Declare that string in a session.

$_SESSION['captcha'] = $string;

 

3) Use GD to create a catchpa img.

// Create an image bg of captcha.png
$im = ImageCreateFromPNG('captcha.png');

//Define black
$black = imagecolorallocate($im, 0, 0, 0);

// Path to our font file
$font = './arial.ttf';

// Write it
imagettftext($im, 10, 0, 0, 10, $black, $font, $_SESSION['captcha']);

// Output to browser
header('Content-type: image/png');

imagepng($im);
imagedestroy($im);

 

requires you to have arial.ttf and catchpa.png in the same folder.

 

I'm using wamp server php 5.2.6

Which folder do I put arial.ttf and captcha.png?

Where do I get a captcha.png file?

[Mchl]

According to the example above, arial.ttf should be one folder above script (So  C:\wamp\www\ if your script is in C:\wamp\www\captcha\), and captcha.png in same folder as the script. captcha.png you must create yourself. It will be a background for your captcha,

[limitphp]

Ok, I created a captcha.png and put it in the C:\wamp\www\website folder. 

And I put the arial.ttf file in the C:\wamp\www folder.

 

How do i display the captcha image?

I tried echoing the $im variable, but I got an error saying "image cannot be displayed because it contains errors".

 

Ok, I'm not echoing the $im , and i'm still getting the image contains errors message.

[limitphp]

it says:

The image "http://localhost/website/register.php" cannot be displayed because it contains errors."

[Adam]

Well you need to store the captcha code in a seperate PHP file, perhaps named "captcha.php"? then display it as normal image:

 

<img src="captcha.php" alt="Enter what you see!" />

 

So, images work, because there is no way for a bot to figure out what is on that image?

 

Not true. Some talented people out there can create font recognition scripts to read the text - which is why they're always adding squiggly lines and very hard to read fonts. Didn't google mail's captcha image get broken a little while ago?

 

[limitphp]

Ok, so I stored this code as a seperate file, captcha.php.

<?php
$string = mt_rand(0,9).mt_rand(0,9).mt_rand(0,9).mt_rand(0,9);
$_SESSION['captcha'] = $string;
// Create an image bg of captcha.png
$im = ImageCreateFromPNG('captcha.png');

//Define black
$black = imagecolorallocate($im, 0, 0, 0);

// Path to our font file
$font = './arial.ttf';

// Write it
imagettftext($im, 10, 0, 0, 10, $black, $font, $_SESSION['captcha']);

// Output to browser
header('Content-type: image/png');

imagepng($im);
imagedestroy($im);
?>

 

Thats the entire captcha page.

In my register.php I put an img tag with captcha.php as the src

<IMG SRC="captcha.php"/>

and the image is not showing up. Not even an outline of an image.

 

The captcha.png is in the same folder as the captcha.php file.

The arial.ttf is in the folder above it....

 

[limitphp]

Not true. Some talented people out there can create font recognition scripts to read the text - which is why they're always adding squiggly lines and very hard to read fonts. Didn't google mail's captcha image get broken a little while ago?

 

 

What if they add a primary color with text to the image?

Like yellow, blue, red, green, black.

[Adam]

Hah some clever clog will figure it out if they really wanted.. i imagine?

 

Have you tried going to captcha.php in your browser and seeing if you get an error?

 

Adam

[limitphp]

Hah some clever clog will figure it out if they really wanted.. i imagine?

 

Have you tried going to captcha.php in your browser and seeing if you get an error?

 

Adam

 

Yea, it says the same thing,

The image "http://localhost/website/captcha.php" cannot be displayed because it contains errors."

 

There must be other code involved?

It can't be that easy to have php setup an image....

Maybe there are some png settings I forgot in my php.ini file?

[PFMaBiSmAd]

Color/contrast differences added to an image just make it hard for humans to read. A computer can change or filter any color or difference in contrast out of an image. Computers can also filter "noise" out of images, such as thin lines or small dots, leaving just the characters.

 

A good image captcha would have "noise" in the image that cannot be distinguished from the elements of the characters, so that mathematically filtering out the noise would remove enough elements of the characters so that you could not determine what the original characters were. Also, the characters must not be in predictable locations so that you can put boxes around them to isolate them from the noise in the image.

[limitphp]

since the code didn't work, I used repcaptcha.com.

Its up and running and working.  I was suprised at how easy it was to integrate their captcha.

The only thing is, I don't like being dependent on another website.

If my website ever takes off and becomes popular I'll probably have to create my own captcha.

Of course, thats a HUGE if.

[Mchl]

You could probably devise a fallback system, that will use your captcha whenever reCaptcha server is unavailable.

[MadnessRed]

According to the example above, arial.ttf should be one folder above script (So  C:\wamp\www\ if your script is in C:\wamp\www\captcha\), and captcha.png in same folder as the script. captcha.png you must create yourself. It will be a background for your captcha,

 

sorry that was wrong

 

../ means directory above

./ means this directory.

 

the ttf and image should both be in same directory as the php file so C:\wamp\www\captcha\