Additionally, the point of Captcha is to create an image containing the captcha text. If you just put your captcha string in a form input, they'll still be able to automate posting to your form. If one must read an image file to see your captcha text, then this makes it MUCH harder to be cracked because one must write optical character recognition code to extract the code from the image.

You might want to try reading up on Captcha.

sneakyimp wrote:

Additionally, the point of Captcha is to create an image containing the captcha text.

Not necessarily, no. The idea of a CAPTCHA is simple:

A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.

Nothing in that definition says anything at all about images.

You might want to try reading up on Captcha.

My bad. IT is possible to have other types of captcha and I'm not familiar with them.

However, in his case, I believe he has a hidden input with name="random_antispam" with the random sequence of chars displayed elsewhere in the form. Breaking this sort of captcha is trivial because all one must do is look at the source code for the form for the hidden input. Even if he were to change his spam check in the PHP code, it would be very easy for a spammer to game his form.

in other words I shouldn't have this in my code?

<input type="hidden" name="random_antispam" value="'.$random_antispam.'" />

is that right?

somehow I do need to send the correct captcha to the next page somehow...
is it safe to send the 5 different letters of the captcha as 5 hidden form fields maybe?

Why not just use a session instead?

Using an image captcha is a very bad idea (Do you know anyone who is blind? Ask them what their opinion is on this matter).

There are alternatives, I've just put one on the contact form of my own site. Basically, you have an array of text values, so 1 is 'the number of heads you have', etc. The resulting mathemtical string would be something like "the number of heads you have * the highest prime below ten". This is displayed to the user, and a hidden field in the form contains an MD5 hash of this string and some other bit of information (timestamp, whatever) which is stored on your server somewhere (DB, session, etc) alongside the result of that equation.

When the user fills in the form, the hash is compared with what is stored on the server to get the actual result of the equation, and this is then compared with what the user sent. So at no time does the user ever see the raw answer, it's fully accessible to visually impaired, and your form is still protected. Also, it's a lot less processor intensive than any image functions.

For a bit of variety, you could have several strings which equate to the same number, to avoid any spam bot from "learning" your values (if you have enough it increases the effort a spammer has to go to, and beyond a certain point it's not worth their time)

Ashley Sheridan wrote:

Do you know anyone who is blind?

Yes.

Ashley Sheridan wrote:

Ask them what their opinion is on this matter

They're about as indifferent as I am towards them. Actually, perhaps even less than me - they go straight to the audio recording, whereas I'm sitting there squinting and cursing trying to figure out if that 5 or S is actually just some squiggly marks to deceive a spammer (who probably has fine-tuned his CAPTCHA reader to filter it out anyway).

A protracted discussion of CAPTCHA techniques is a worthy exercise, but let's try and help the original poster.

marcnyc: As we've said, the point of CAPTCHA is to present a task which is a roadblock to computers but very easy for humans to do. Parsing an image file for text (also known as OCR) or to implement voice-to-text are good examples. Ashley proposes natural language parsing, another option. I would posit that one needs an enormous variety of questions and answers to make this last option viable. If the answers are integers 1 through 4, one has a 25% chance of just randomly guessing.

In your case, if you are asking a visitor to simply enter a value that is displayed in your form. Granted, it's displayed as hidden text but this is hardly an obstacle because one can just quickly set up a script to inspect the source HTML of the form, locate the string, and enter it.

One way to do it goes like this:
1) generate a code (or question) and store it in $SESSION
2) Think of a way to display the code or question on your form such that a computer can't figure it out. Showing the code as an image (or audio file) is the most common way to do so. Ashley's got a point that a natural language question is easy to display and easy for blind folks to access.
3) When people submit the form, compare what they've entered to whatever you put in $SESSION. If they match, they get access. If not, let them try again.

Brad, and what about those people who are unfortunate enough to be both blind and deaf? I'm not, and I don't know anyone who is, but I think the natural language captcha (thanks Imp, I didn't know what to call it before!) is the way to go. Sure, what I wrote for my own site needs some work to make it a bit better, but I think accessibility is far more an important issue than a bit of spam.

Ashley Sheridan wrote:

Brad, and what about those people who are unfortunate enough to be both blind and deaf?

What about those people who are blind, deaf, dumb, and stupid? What about.......

At some point you just have to stop the "What if" type questions and settle on an answer. What if the person visiting your site didn't speak English? Do you translate your websites to every language known to man?