CAPTCHA and Email Forms

synergypoint

I have some Email forms that allow a web site users to 'Email a Page to a friend' from the site.

Spammers are exploiting the pages so I was thinking about using a system where you have to enter a code seen on the screen in graphics. Kind of like Ticket Master, AltaVista, and some other companies are doing for registrations.

I came across an article at PC Magazine and it seems that spammers are even getting around some of that. Has anyone used what they are calling CAPTCHA (using blured graphics as a code that must be manually type in on screen)?

If that doesn't work I guess I will just take the forms down because we are in jeopardy of getting blacklisted with AOL.

http://www.pcmag.com/article2/0,4149,1226974,00.asp

benkillin

use GD to randomly generate a image with the code to fill out, and also make a temporary file on the server with the code in it so it can be validated. here is some simple random image generation code:

<?php
$array = array(
'Use PHP!',
'OMG! LOOL!', 
'There can be only one true yuri',
'Fwapeh goodness', 
'Monkeys will take over!',
'BOWUUUUUUUUUUU!',
'Meh madz PHP site'
);
$text = $array[rand(0,6)];

$height = 30; //h
$width = 300; //w
$im = ImageCreate($width, $height); //make it
$txt = ImageColorAllocate ($im, 0, 0, 0); //black
$bg = ImageColorAllocate ($im, 203, 203, 203); //greyish to match website background color
ImageFill($im, 0, 0, $bg); //fill bg with the greyish
ImageString($im, 5, 5, 6, "$text", $txt); //write the text
header ('Content-type: image/png'); //mime type
ImagePng ($im);  //send it to the browser
ImageDestroy($im); //DIEEEEEEE
?>

now, you can take that and modify my random password generator to make the random code:

<?php
srand ((float) microtime() * 10000000);
$array = array_merge(range("a", "z"), range ("0", "9"), range("!", ")"), range("/", "+"), range(",", "/"), range(">", "?"), range("A", "Z")); 
$plain = "";
for ($i=1; $i <= 79; $i++) // change the $i <= 79 to $i <= 5 for a 5 charicter password
	$plain .= $array[rand(0, 79)];
$pass = md5($plain); 
$crypt_pass = crypt($plain);
echo $plain."<br /><br />".$pass."<br /><br />".$crypt_pass;
echo "<br /><br />".pow(79, 79)."<br />^^^ see that number above? thats how many possibilities there are in a 79 charicter password!";
?>

uuh... you will want to make the password smaller then 79 charicters... 😉

also, in the image, draw a bunch of lines but still retaining visibility of the password.

synergypoint

I now have a working script to create somewhat readable random words on in a distorted graphic.

Now I am ready to save the verification code somewhere. You recomended a temp file but won't that file be deleted at the end of the page load? I will need to reload the page after the form is submitted.

What if I store an encrypted copy of the verification code either in the users cookies or on the form itself as a hidden variable.

Then after submission I would encrypt their input the same way and compare the strings.

I'm a little knew to encryption. Would there be a security flaw with that senario? Would someone be able to de-crypt the variable I stored on the page? That seems easier to me than creating a file but maybe this won't work.