Image Verification Question

my_name

I have a question about image verification.

Most of the ones I've seen (such as the example at http://theomega.org/security/) basically take a random set of characters, put them into an image, and send a hashed version back to the browser within a hidden field. Then, when the user submits the form, the script takes the user's response, hashes it, and compares that hash with the old hash that was sent to the script as a hidden field (i.e., md5($POST["response"]) == $POST["hidden"]).

My question is this: what's stopping someone from taking any set of characters, hashing it on their own, and sending that character/hash combination to the script? Wouldn't that work and effectively bypass the security measure?

bizpile

I actually wrote that script and I can tell you that if you tried what you suggest, it would not work (at least for my script). My script checks to see if the image with the generated hash actually exists on the server. If someone makes their own hash and submits it, there will be no corresponding image on the server and their submission will be rejected. Also, after an input has been verified, the image is deleted and cannot be used again.

Please feel free to ask any other questions about my script.

-Seth Miller, http://theomega.org/