Jump to content

is this CAPTCHA any good?

fry2010

By fry2010
in PHP Coding Help

 Share

Recommended Posts

fry2010 Regular Member

fry2010

Posted
Posted 

<?php

  function create_captcha()
  {
    $length1 = random_digit('1');
    $length2 = random_digit('1');
    $length3 = random_digit('1');

    $set1 = random_word($length1);
    $set2 = random_word($length2);
    $set3 = random_word($length3);

    $result['0'] = $set1;
    $result['1'] = $set2;
    $result['2'] = $set3;

    return $result;
  }

  function display_captcha()
  {
    $captcha = create_captcha(); 

    $length1 = strlen($captcha['0']);
    $length2 = strlen($captcha['1']);

    echo '<label for="captcha">For security reasons please enter the first <span>'.$length1.'</span> letters/digits and the last <span>'.$length2.'</span> letters/digits.</label>';
    echo '<div id="captch_box"><h3>'.$captcha['0'].$captcha['2'].$captcha['1'].'</h3></div>';
    echo '<input type="text" name="captcha" />';
    
  }

  function check_captcha($input)
  {
    $captcha0 = $_SESSION['captcha']['0'];
    $captcha1 = $_SESSION['captcha']['1'];
    $captcha2 = $_SESSION['captcha']['2'];

    $captcha_set = $captcha0.$captcha1;
    $captcha_input = $input;

    if($captcha_input == $captcha_set)
    {
      return true;
    }
    else
    {
      return false;
    }

  }

?>

 

Basically what this does is gets 3 sets of seperate length letters. I then ask the user to enter the first set and the last set, leaving out the middle set. The values are passed using a session for each set, not through a hidden input. The sessions are destroyed once the new page loads and value has been checked.

Link to comment
https://forums.phpfreaks.com/topic/146978-is-this-captcha-any-good/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Text based captcha's that are "find and enter something that appears on the page in plain text" are easy to write a script for because they don't require any human reading and reasoning skills. A script can parse the two lengths and get the correct digits easily.

Mchl Regular Member

Mchl

Posted
Posted

It's enough that the person coding this bot sees through your method. They just need to code the bot to:

1. Get contents of <label for="captcha">

2. Parse the first and second number from it

3. Get contents of <div id="captch_box">

4. Use substr to get required letters

5. Put the resulting string into <input type="text" name="captcha" />

 

that's not really hard.

 

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

At a minimum, you should use a dynamically generate image to display any text based question.

 

It is fairly easy to filter simple images to get OCR to recognize a typical 4-6 character captcha (enter the characters you see.) It is much harder to get OCR to correctly decode a multi-word question that is output as a dynamically generated image.

 

If you output your existing question as an image with some background noise and some non relevant accompanying text (both before and after the actual question), it will make it much harder for a bot script to decode your captcha.

fry2010 Regular Member

fry2010

Posted
  • Author
Posted

ok my understanding of bots is not correct then. I dont really know how they work i just fort this would have been a good way to solve it.

However you say that its easy, i still think not so.

It doesnt use the first letter and last letter as you suggest mchl. The first and last letter sets are dynamic, i.e. the number of letters is determined by random_digit();

 

Here is a code that it produced :

 

KPCXLXJ

 

Tell me now which letters are required?

 

This is how it prints in the html too they are not seperated into there sets.

 

<div id="captch_box"><h3>KPCXLXJ</h3></div>

 

The sets are stored as sessions so the only way it can get this is if it uses the sessions that are created. Is this possible? Or any other method you can think of. I do appreciate the critisism but i think you underestimate the difficulty in obtaining the correct data required.

fry2010 Regular Member

fry2010

Posted
  • Author
Posted

Here is another when i refreshed the page:

 

TMPFL

 

The reason I dont like to use image generated captcha is because they p*ss me off when i have to enter them because they are unreadable. I would much prefere to have people sign up to going overboard with spam protection. Obvoisly there needs to be a compromise. I was hopeing this would be good enough.

Mchl Regular Member

Mchl

Posted
Posted

How is human suposed to know what letters are required? You tell him:

"For security reasons please enter the first 2 letters/digits and the last 3 letters/digits."

 

Bot also sees that.

It's enough for the code to do this:

 

$captcha = "KPCXLXJ";
$a = "For security reasons please enter the first 2 letters/digits and the last 3 letters/digits.";
$words =  explode(" ",$a);

$length1 = $words[7];
$length2 = $words[12];
$answer = substr($captcha,0,$length1).substr($captcha,-$length2);
echo $answer;

fry2010 Regular Member

fry2010

Posted
  • Author
Posted

Yes but the number of letter used changes. In that example it was the the first 1 letter and the last 3. On the second example it is the first 2 letters and the last 1.

A human could probably code this but I dont think they will bother with my site. I am limiting the number of registered users anyway, the only bots i want to stop really are the automatic one if my thinking is correct?

fry2010 Regular Member

fry2010

Posted
  • Author
Posted

ok cool. i also see in your last post that actually your code would work out the dynamic letters i didnt see this at first i havnt used that code before but just realised what it does.

What if I used words instead of integers to tell the number of letters user?

I dont mean to be getting your back up it just took me ages to code it and get it working to find out its basically useless, atleast against humans coding bots. and thanks for the critiques.

Mchl Regular Member

Mchl

Posted
Posted

Each countermeasure you implement makes the task harder, but never impossible.

Another idea might be having several sentences describing the task to be done and picking them by random.

 

Example:

For security reasons please enter the first 2 letters/digits and the last 3 letters/digits.

For security reasons please enter the first two letters/digits and the last three letters/digits.

Please enter the first 2 letters/digits and the last 3 letters/digits.

For security reasons please enter first two letters/digits and the last three letters/digits.

(I'm just mashing up the original sentence, you might want to be more original :P )

 

Now the bot has to know the structure of all sentences (or use regular expressions, which will make it's task easier again)

 

Using text based captcha has this flaw, that it is relatively easy to write code for it.

 

You might try implementing captcha based on figlet fonts. These might be really hard to break.

JonnoTheDev Regular Member

JonnoTheDev

Posted
Posted

Using text for a CAPTCHA is a bad idea.

Your CAPTCHA is best created using the GD functions and the most obscure fonts. The actual code is stored in a session that a bot has no access to. The only method is OCR. The more obscure the font the harder to do.

 

Implement in the following way:

<img src="captcha.php" />

 

The best protection is recaptcha http://recaptcha.net/

I have never been able to break through this nor found anyone who has.

angelcool Member

angelcool

Posted
Posted

Here are my two pennies.

I am using this image for captcha:

http://gift-a-cup.10-network.net/shopping_cart/images/captcha.php

 

Any ideas how anti-OCR safe it looks like?

 

I know at times the background noise is not high (this is good for user), but should at least give OCR a hard time when not, thus making it unreliable.

shadiadiph Advanced Member

shadiadiph

Posted
Posted

i just use

 

<?
$random = rand(100,999);
?>

 

at the top of the page

 

then

<tr><td colspan="2">CONFIRMATION NUMBER</td></tr>
<tr><td colspan="2"><?=$random?> <input type="text" name="validate" maxlength="3" /></td></tr>

 

in my form

 

then on my submit form

 

$random = ($_POST['random']);
$validate = ($_POST['validate']);

if($random == $validate)
{

// sql insert or send email function.

}

 

 

don't know if this helps but its homemade and it works

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.