That’s funny, I was just looking for this at this second

Good

Hey Jeffrey, quick question: Do you have a time of the day when you post articles to the website? I often end up checking your website too many times too often everyday before I see a new article. (Tells you how much I enjoy this site.
————————-
– Another great tut!!
——————-

“Ever get hit with spam through the contact form on your personal site?”

–understatement of the century !

Never heard of RSS..?

You should use ReCaptcha and help digitize books. It works awesome and its extremely simple to implement.

Doesn’t look too hard to get past? At the very least some other font than the world’s most common one should probably be used…

Good intro.

Hi,

some things about this code, there is an error in captcha.php on line 21
it’s not $_SESSION['random_code'] but $_SESSION['rand_code']

there is also a security problem with this captcha

let say i saw the image and the code displayed is abcde so now i see that $_SESSION['rand_code'] = ‘abcde’ so if i don’t display again the image i can submit the form another time and another time without changing the code but i can the change the email and message. In the case of a contact form it’s not critical, but if it was a send to friend alike form, i can literaly spam.

(sorry for the bad english

Great tut!

The only problem I could see is that blind users might need to hear the text and that’s where reCaptcha has the upper edge.

I’d like to see this built out with a hidden form field that should remain empty but that tempts ‘bots into submitting a value. If you have little to no knowledge of PHP but still need a secure contact form, I’d recommend Green Beast’s Secure and Accessible Form Script http://green-beast.com/gbcf-v3/ Nice tut!

A bit of a start, but not that good. Captchas like this are easily detectable by bots. Bots normally crack captchas by splitting each letter apart and analyzing them. This defeats the purpose of the captcha.

To make a secure captcha you should make the letters mesh as close together as possible while remaining readable. Like Geekbay said you should not store the plain-text in a session. Instead, you should hash it, and then compare the hashed user-inputed value to the original hash. And like Jesse said you should also have a hidden input field that tempts bots to enter a value.

Here’s a good article on this:
http://pushingbuttons.net/?post=103
http://pushingbuttons.net/?post=104

The captcha image does not work for me. Maybe it’s a font thing? Can someone explain what is meant by…

“if you receive errors, make sure your script can link to your .ttf font file”

Is this why it does not work.

- PS. I’m using a Mac, does that matter?

Not a bad tutorial… only problem is the text in the image this script creates is so simple to OCR that it won’t stop most bots. I recommend checking the captcha scripts that comes with CodeIgniter. Towards the end of the script you’ll see the code that distorts the text… although even this won’t trick the really high end bots. Check out the script on their public SVN: http://dev.ellislab.com/svn/CodeIgniter/trunk/system/plugins/captcha_pi.php

nice tut for starters

Good tutorial! also you can add some noise to the image

this is another cool and useful tuts again thanks.

In the imagettftext you use $alt instead of $color, which causes an error. Your full code later on is correct though

This is very useful. I hate some of the downloadable ones because you can’t customize them enough. This way I can do it myself!

great tut man, nice, ill sure be using this.

Although I do enjoy this tutorial I can’t help but wonder that this wouldn’t prevent most bots. Doesn’t the text need to be distorted and skewed enough for the bot to not be able to split and decipher it?

Two points really. Firstly don’t use action="" otherwise you are vulnerable to XSS attacks. Why not use action="" ?

Secondly as geekbay pointed out, if the image isn’t reloaded the captcha text isn’t changed. I would put
$string = '';
for ($i = 0; $i < 5; $i++) {
// this numbers refer to numbers of the ascii table (lower case)
$string .= chr(rand(97, 122));
}
$_SESSION['rand_code'] = $string;
at the bottom of your second script so every time it is submitted the captcha is redefined. At the top of the first script use
$string = isset($_SESSION['random_code']) ? $_SESSION['random_code'] : '';

Sorry that last comment was completely mashed up by wordpress it should say

Firstly don’t use action=”<?php echo $_SERVER['PHP_SELF']; ?>” otherwise you are vulnerable to XSS attacks. Why not use action=”" ?

And that last comment still isn’t perfect Jeffrey why aren’t code tags allowed in comments? Surely that is obvious on a site like Nettuts?

Very cool tutorial. One thing I would like to see is the code, after successful submission, take you to another URL, and have that be set somewhere easy to access. This is an awesome tutorial, and I will use it on my next HTML site.

Thank you!

Very useful! Thanks

I’ve always wondered if there isn’t a better way to handle spam than a CAPTCHA, but so far, I haven’t found a decent method other than honeypots of some sort of bayesian spam filters. As CAPTCHA’s go, this one will only prevent the simplest of spam bots because the text isn’t distorted, it’s all on the same line, there are no lines through it, all the letters are the same color, and there is no noise. Anything with image recognition will go through this pretty easily.

As others have mentioned, reCaptcha is a good option, as is Akismet, a spam filtering service.

It is a great tut fallen from heaven for me, I have searched something like this for my blog.

its always PHP, i think i must also learn PHP as there are not much ASP.net here, or search for a site where i can find quality tutorial like here.

thanks for it,

I tried this out and my image shows different characters than $_session['random_code'] and therefore it fails everytime. Any ideas?

Having just coded a simple message board for my personal site and disabled it less than 24 hours later due to spam this is exactly what i need right now. Great tutorial. I will also include the hidden field method as mentioned above when i implement a captcha to my site.

I’ve been thinking about other methods and wondered if asking a simple question that only humans would understand would provide further security? ie. if simple questions such as ‘What colour is the sky?’, ‘How many hours in a day?’ etc and their answers were stored in a database, surely this would fool a bot?

WoW!

Thanks for this great tut. This is the type of stuff that makes me want to keep expanding my knowledge on PHP. Keep up the great job

CAPTCHA has already been defeated and is an extra hurdle for visitors. It shouldn’t be used and there are many better spam-detection methods. Don’t waste your time.

as a paranoid supersecurityguru this is way to easy to decode for a non human ocr tool

see this: http://caca.zoy.org/wiki/PWNtcha

Highly insecure !!!!!!!!!!

Sorry for this comment, but that’s the truth.

1) Using sessions for a “secret code” without any encryption.
2) The image does look nice and clean, but bots can easily get the code from it.
…

this has mostly made sense to me, however how do you tell it where to submit the form to?

very useful

Despite a few people pointing out a few niggles with this TUT, the basics for getting your own captcha to work and the coding behind is great.

Good job Zachary.

Grate, Tutorial

Thanks for sharing

this is the best SITE I’ve ever seen

SPB. from Russia

A very poor system, a simple bot can bypass it… Maybe with some “noise” on the image the system could be better…

I have this error when I’m testing the captcha.php file: Fatal error: Call to undefined function imagecreatetruecolor() in /Library/WebServer/Documents/e-car/e-car/captcha.php on line 15

Heh, cracking this captcha is so easy it barely needs mentioning at all :

> convert 2.jpg -crop 150×50+10+90 2p.png
> gocr 2p.png | sed -e ’s/ //g’ | sed -e ’s/I/l/g’
mfelr

Hmmm captcha cracked. There isn’t even the need to train the recognition engine, no need to get a neural network up, nothing.

I wouldn’t really bother fixing it though. Real captcha cracking tools have long since left “normal”* human 2d recognition skills behind.

* normal as in what you could expect from a random visitor. Of course you could easily ask hard domain-specific questions, or challenges, but there’d be lots of humans not capable of responding to your captcha too. In fact, several people in my family are already complaining captchas are getting too hard.

I doubt you’ll get many years of peace and quiet with domain-specific questions either, though. Markov chains can easily give “human” answers to textual questions, or stuff like calculation challenges, or “Marilyn ….” “… Bush” (fill in the blank) type questions, no matter how general you make them.

Good tutorial for beginners. Thank you.

Great little tutorial, I have quite a few projects at the moment which could do with something like this. I’ve never created a captcha before so nice tutorial for the beginner.

yeah i needed this two days ago… glad its here!

This one I have to try! These captchas drive me angry sometimes but it doesn’t matter since security comes first. And I found it surprising ’cause it’s easier than I thought. And it’ll be interesting in some websites I’m doing. Thanks!

how can i set it up so it sends it to my e-mail?
where is this sending?

Using rand() is an even worse idea than mt_rand(). Common, predictable random functions like those two can be cracked. For a small scale CAPTCHA (like this one, especially with the easy to crack font), not a problem, but it’s still not a very good idea to just use rand() in a tutorial for beginners.

Then again, you fall into the same trap almost every tutorial site on the internet – there’s little in the way of advice on this, as far as my quick few google searches could tell and I could remember. Most security info obsesses over XSS and CSRF (and SQL Injection) and skims everything else.

If anyone’s interested in this, see http://zly.me/c760/ for some information on the matter.

First, thank you to everyone for the replies. I’m glad to see this sparked some discussion.

And I’m sorry for the two typos in the code. They have been fixed in the source download.

As always we find here resources than make us back one and once again;
Thanks nettuts people!

A lot of complaints about the Captcha script I see..

But what is a more secure way than? Using something like: “Give the answer of 5 times 5″ ? Something like that?

I like the tutorial though, I’ve never created images with php.

Personally, I would include a hidden field in the form and check to see if it has been filled.

I would also have an alternate check where the person might have to type in the colour of a particular letter instead of the random string itself.

Even though it’s a good start I wouldn’t rhyme with this implementation. As many of you pointed out here this can easily be botted and that of course deceits the purpose. But certainly you can use this as a base and improve on it 200 times to have a secure CAPTCHA implementation.

great tutorial for a beginner like me. i will also have to try some of the suggestions other people suggested for this too.

Even though a lot of people seam to nitpick on how easy it is to crack, PEOPLE must not forget about that he spent time on creating this code and tutorial for basic users to actually comprehend what it’s about, the basic idea and for that people should be thanking him just like im about to do.

Good tutorial and i just love your website, it is so clean and the layout makes you fall in love with it.

I’m new @ this:

ok, so I put this line in the contact.php file and it sends an e-mail but it’s empty and it doesn’t display the e-mail it’s sending it from:

// Send
mail(‘xxxxxxxxxxx@gmail.com’, ‘email’, ‘message’);

what am I doing wrong? or what am I missing?

Nice tutorial, As I read this I decided to post my cusom Captcha Source code.

If you interested, take look at:

http://www.dobrotka.sk/blog/creating-a-captcha-with-php-and-mysql-database/

Maybe i`s not the best one, but you can try and customize if you like.

Hi
I love the discusion and I so new to this that my ming is going nuths.
I love the thutorial i ma use to cgi forms and php is very very new to me,I agree with alot of you, script mightbe simplistic or mightbe not scure as it should ,but remeber this is not a final product and it is given as somthing to fall back on and somthing tostart form…
Now I need some help
I used to cgi forms and on this tutorial
form is not pointing to mailing engine, unless I miss somthing..

<form action=”" method=”post” enctype=”multipart/form-data”>
I ma use to point from action to a mailing engine, so how do i make this form mailed?

I try another miler form the i loos COPTCHA function..
Any way any sugestion would be appreciated
( soory for my typing not the best , i might have some typos)

http://www.sitepoint.com/blogs/2009/05/14/captcha-alternatives/

Tsk tsk, avoid CAPTCHAs they are bad for the user interface, often you can avoid them.

The line exit(); should also be included in captcha.php. I’m a beginner at this and it took me a while to figure this out! Before I added that line, captcha.php was creating a blank PNG image without any letters on it

Good tutorial though, thanks for posting this, great for a beginner like me.

Great tut! The Captcha image concept is very similar to using a randomly generated token, storing in it, and then checking it upon arrival at our processing script. Very good tut!

great tut…thank u

This tutorial has several critical mistakes, which make it unworkable.

1) on the 4th step: imagettftext($image, 30, 0, 10, 40, $alt, $dir.”arial.ttf”, $_SESSION['rand_code']); – $alt doesn’t exist, there must be $color;

2) on step 7: <form action=”" method=”post” enctype=”multipart/form-data”> – action of the form must be the link to the file where the validation is taking place.
enctype=”multipart/form-data” isn’t needed here.

3) on step 7: – type must be “submit”.

I’m sorry but his is the worst tutorial I’ve ever seen on here, you have left out variables in one part and added them later etc need i go on, not too mention the type=reset name=submit situation in step 7 then changing it at the end.
Awful Awful Awful!!!!

Thank you for this… I just can’t understand why some people here are complaining about things like it can be hacked, it is XSS vulnerable.. bla bla bla.. This is a tutorial about basic captcha and it is quite helpful.. Like many said before me, if someone complains he/she should write a better one and stop complaining, you make me sick

Can you guys at least make sure your tutorials work?
Can you check the comments to see the mistakes made and update tutorials?

Two errors in the imagettftext() $alt should be $color and $rand_code should be $random_code.

Also you should not be sending the header() after you create the header with the session_start()

Both these simple mistakes make the code unworkable and for someone learning PHP these might be really big problems for them.

And this tutorial is over a month old?

The author of this obviously did not even test their code cause it would fail right?

Nice Read and really a Good article.

Nice tutorial dude. can i put a back ground image on that generated capcha ?

Another change to note is that:

$_SESSION['rand_code'] = $string;
imagettftext ($image, 30, 0, 10, 40, $color, $dir.”arial.ttf”, $_SESSION['random_code']);

the session keys should probably match…

I prefer recaptcha anyway.

Nice tut

Where would I put

// Send
mail(’mymail@example.com’, ‘My Subject’, $_POST['message']);
In this document?

Let us treat the inner biomedical issues, not just the outer behavioral issues, and maybe these kids will simply act better. ,

thanks for this great tutorial.

Even though this captcha does not seem to secure, I still believe that this is a wonderful starting point.

Nice Good Job

Nice
Its Good Because Define With Easy Way