which one is better?

PHPycho

Which one do you prefer among the two?

function genRandomNo($length = 5){	
	$string = substr(md5(uniqid(rand(), true)), 0, $length);
	return $string;
}

function genRandomNo($length = 5){	
	$string = substr(md5(microtime() * mktime()), 0, $length);
	return $string;
}

also you can suggest alternatives.

Thanks

halojoy

Your both functions will do the job.

I wrote a captcha script last week.
And generate random 5 chars for my captcha image.
This is what I use:

<?php
$text = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz0123456789'),0,5);
?>

Would give a function like this

<?php
//$text = substr(str_shuffle('abcdefghijklmnopqrstuvwxyz0123456789'),0,5);

function genRandomStr ($length = 5){

$charstr = 'abcdefghijklmnopqrstuvwxyz0123456789';
$string = substr( str_shuffle($charstr), 0, 5 );
return $string;
}

// Test genRandomStr()
for($i=0;$i<10;$i++)
	echo genRandomStr().'<br />';


?>

TheoGB

I've had more luck with CAPTCHAs that are simple maths problems using random number but which display the numbers as text versions but expect a numeric response.

E.g. Ten + Three =

I found with words the bots can pick them out but with the above they have to be designed to read the words and then work out they have to provide a numeric sum.

halojoy

I found with words the bots can pick them out

Have you experienced bots pick correct text from an image captcha?
And in that case, how do you know it was a bot and not a human?
(sure there are now intelligent image scanners, but how many spammers have those)

If you mean bots can pick a word out, if you write it to screen
as a pure TEXT captcha.
Of course they can, as the text is in some form in the HTML Source.

Math captcha.
It is a nice thing. And I think it is pretty secure.
I see more and more use such questions as you describe
that only a human would know the answer.

TheoGB

halojoy;10945652 wrote:
Have you experienced bots pick correct text from an image captcha?
And in that case, how do you know it was a bot and not a human?
(sure there are now intelligent image scanners, but how many spammers have those)

If you mean bots can pick a word out, if you write it to screen
as a pure TEXT captcha.
Of course they can, as the text is in some form in the HTML Source.

Math captcha.
It is a nice thing. And I think it is pretty secure.
I see more and more use such questions as you describe
that only a human would know the answer.

I don't know really (well, obviously!), I just found that CAPTCHA wasn't as effective as I'd hoped. I'd rather people could read the text fairly easily and just do a simple addition or subtraction than strain trying to make sense of what they're reading.

laserlight

PHPycho wrote:
Which one do you prefer among the two?

The first one, mainly because this use of uniqid() is rather idiomatic compared to the second version which theoretically can be deduced if you know the instant of time in which it was computed.

PHPycho wrote:
also you can suggest alternatives.

halojoy's suggestion has merit, but it has the property that elements are not repeated. This actually reduces the total number of possibilities. It may be better to just select at random from the entire range until the required number of characters has been reached.

halojoy wrote:
Have you experienced bots pick correct text from an image captcha?
And in that case, how do you know it was a bot and not a human?

Indeed bots can pick correct text from an image CAPTCHA, depending on the quality of the CAPTCHA and the bot 🙂
However, it is also common for a man in the middle attack to be used instead, e.g., the bot takes your CAPTCHA image, uses it as a CAPTCHA for a porn website, and then fills in the answer that the porn viewer provides.