Securing Web Forms with Simple PHP-CAPTCHA

• Download source files - 2.2 KB

Introduction

In web available forms are always prone to attack by people who want to use your application for their own purposes. Many web sites use the CAPTCHA especially used to prevent bots from using various types of computing services. The applications include preventing bots from taking part in online polls, registering for free email accounts, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered [implemented in Yahoo]. They have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites.

You have probably seen the CAPTCHA project in action at some of your Web destinations. Its principal tool is a randomly created image that contains a phrase unmentioned in computer-readable text on the rendered page. The form asks the user to provide the phrase. If the form post does not contain the correct phrase, you can safely assume either the human made a user error, or it wasn't a human at all.

Using the Code

Now it's time to put this code to work. A simple and often-used interface to implement this new security measure is the form on website. In this form you typically capture random numbers.

<form name="form1" method="post" action="form.php" ">
    <table width="342" align="center" cellspacing="0" bgcolor="#D4D0C8">
        <tr> 
            <td align="center">
                <img src="php_captcha.php">
            </td>
            <td align="center"> 
                Please enter the string shown in the image in the form.<br>
            </td>
            <td align="center">
                <input name="number" type="text">
            </td>
            <td>
                <input name="Submit" type="submit" value="Submit">
            </td> 
        </tr>
    </table>
</form>

The following code use to create random numbers and this number are embedding with existing image file, the first line used to initiate session, which use to carry the user inputs.

<?php

session_start();
$RandomStr = md5(microtime());
$ResultStr = substr($RandomStr,0,5);
$NewImage =imagecreatefromjpeg("img.jpg");

?>

The second line [md5 (microtime ())] use to generate the random string, and the resultant string is trim by using third line [substr], which returns the portion of string specified by the start and length parameters. The function imagecreatefromjpeg ("img.jpg") is use to create a image by existing image file and as back ground ,so that you need to give an image file path.

<?php

$LineColor = imagecolorallocate($NewImage,233,239,239);
$TextColor = imagecolorallocate($NewImage, 255, 255, 255);
imageline($NewImage,1,1,40,40,$LineColor);
imageline($NewImage,1,100,60,0,$LineColor);
imagestring($NewImage, 5, 20, 10, $ResultStr, $TextColor); 

?>

After creation of back ground image, we generate some linear line, which is use to avoid the phrasing from random numbers, the respective lines are create by the function named imageline () and imagestring () use to draw a random string horizontally.

<?php 

$_SESSION['key'] = $ResultStr;
?>

The resultant random number [trimmed one], carry through session especially for validation purpose.

<?php

header("Content-type: image/jpeg");
imagejpeg($NewImage);

?>

Finally above two functions are uses to display/out put the image to browser. So we can just call the particular file by through image source path, it will display the final image.

<?php

if(isset($_REQUEST['Submit'])){
    $key=substr($_SESSION['key'],0,5);
    $number = $_REQUEST['number'];
    if($number!=$key){
        echo ' Validation string not valid! Please try again!';
    }
    else
    {
        echo ' Your string is valid!';
    } 
}

?>

I hope you know about the above code functionality, it’s about validating the user in put and actual random number, depends upon the application you may use the if and else conditions, that’s all

Conclusion

CAPTCHA can be a great way to limit the amount of successful, unwanted HTTP POST requests in your application, CAPTCHAs are by definition fully automated, requiring little human maintenance or intervention in administering the test. This has obvious benefits in cost and reliability; I hope the simple code is useful to understand the concept. Happy CAPTCHA-ing!