CAPTCHA is an acronym for "Completely Automated Public Turing Test to Tell Computers and Humans Apart". As the name suggests, it's a test to distinguish the degree of being human. In this post, I will share a simple technique to create CAPTCHA which I used in some of my first PHP projects.  

// index.php
<form action="login.php" method="post">
<table width="300" cellpadding="5" cellspacing="0" border="0" bgcolor="white">
<tr>
    <td><div class="txt">Username</div></td>
    <td><input type="text" size="30" maxlength="18" name="username"></td>
</tr>
<tr>
    <td><div class="txt">Password</div></td>
    <td><input type="password" size="30" maxlength="18" name="password"></td>
</tr>
<tr>
    <td><!--Create Random number for security check-->
        <? $t1=sha1(time().rand(1,999));?>
        <img xsrc="index_button.php?t1=<?=$t1 ?>">
        <input type="hidden" value="<?=$t1 ?>" name="tc2">
    <td><input type="text" size="30" maxlength="8" name="tc"></td>
</tr>
<tr>
    <td> </td>
    <td><input type="submit" size="30" value="launch"></td>
</tr>
</table>
</form>

 The code is calculated by the function: sha1(time().rand(1,999)). This function gets the sha1 hash of the product of a random number (from 1 to 999) and the current timestamp.
Then, the code is passed to index_button.php to generate CAPTCHA image:

  //index_button.php
<?php
	header("Content-type: image/png");
	$string=substr(md5($_GET['t1']),7,5); // return string of 5 digits
	$im=imagecreatefrompng(“b0.png”);
	$color=imagecolorallocate($im, 0, 0, 0);
	$px=(imagesx($im) - 8.5 * strlen($string)) / 2;
	imagestring($im, 5, $px, 2, $string, $color);
	imagepng($im);
	imagedestroy($im);
?>

The code will get 2 inputs:
+ $string: string of 5 chars (ex: 68897) calculated from substr( md5($_GET['t1']),7,5)
+ $im: image background source from file b0.png

And use function imagestring to draw the string $string by in the image identified by $im with the upper-left corner at coordinates $px, 2 (top left is 0, 0) in color $color.
Then function imagepng($im) will Output a PNG image to the browser.
(Note: you must use header("Content-type: image/png") to inform the browser that the content is in image PNG format)
imagedestroy($im) is used to destroy the image $im and free memory associated with it.

After that, the rendered image will be display in index.php.  As you can see, there is a random texture code rendered in image. To login, user has to key in correct username, password and also this code. In this example, the code (ex: 68897) will be changed when user refreshes the page.

// login.php
<?
$db=mysql_pconnect("localhost", "root", "root");
mysql_select_db("database",$db);

$un = $_POST[‘username’];
$pw = $_POST['password '];

// check security code first, then check username and password later….
if(strtolower(substr(md5($_POST['tc2']),7,5))==strtolower($_POST['tc'])){
	$un=mysql_real_escape_string($un);
	$vstring="SELECT * FROM list_users WHERE username='".$un."'";
	$vresult=mysql_query($vstring) or die(mysql_error());
	$vrow=mysql_fetch_array($vresult);

	if(md5($pw)==$vrow['password']){
		 // execute other code...
	}
}
?>

This is a very simple technique I use to prevent dictionary attacks and brute force attacks for login pages. You can modify and improve it as your need like:
+ Change the background image, texture color
+ Create more noise for the image to prevent text recognition
+ Change to more complex algorithm to generate the string…

Some of the Applications:

- Online polls: the poll requires that only humans can vote.
- Free email services: stop "bots" that sign up for thousands of email accounts every minute.
- Search engine bots - CAPTCHA image guarantee that bots won't enter a web site
- solution against email worms and spam: an email is accepted only if I know there is a human behind the other computer
- preventing dictionary attacks and brute force attacks for login pages.

To find out more complex techniques about CAPTCHA,  you can visit the links below.

CAPTCHA home page
Breaking a Visual CAPTCHA
Visual and Audio CAPTCHA Generation Class (PhpCaptcha)
Toughen Forms' Security with an Image
Anti-spam techniques in PHP
freecap - PHP CAPTCHA script

Only registered users can write comments.
Please login or register.

Powered by AkoComment Tweaked Special Edition v.1.4.6
AkoComment © Copyright 2004 by Arthur Konze - www.mamboportal.com
All right reserved