EasyCaptcha.php

kestas.kuliukas.com

EasyCaptcha.php

What it is

A PHP captcha script, requiring users to enter in a code from an image to verify that they are human and not a spam bot.

Features/What sets it apart

Easy to install into your own code
Easy to customize
Small amount of code involved
Portable, limited requirements
Open source BSD license lets you install/modify/distribute the code as you like
Doesn't need to write any data to a database or files; which means fewer security concerns and easier installation

Example

How it works

easycaptcha.php displays the image, and sets a cookie. The cookie is an MD5 hash containing:

The random captcha code
The user's IP address
A secret code

Because a secret code is used the captcha cookie tokens cannot be forged, which means that only easycaptcha.php can generate a valid captcha cookie.

The user submitted captcha code, user's IP address, the time, and the secret code are used by the validation code to create a new MD5 hash. If the new MD5 hash is the same as the one given then the hash is valid, and the captcha was entered correctly by the same user that saw the image.

The time is then checked to make sure that the captcha is less than 5 minutes old, to stop the same cookie from being used over and over.

To put it in simplified pseudo-code:

User views captcha page:
	User -> IP
	
	Captcha-token = Scramble <- (Captcha-code + IP + Secret-code)
	
	User <- Captcha-token

User solves the captcha, submits answer:
	User -> IP, Captcha-code answer, Captcha-token
	
	New token = Scramble <- (Captcha-code answer + IP + Secret-code)
	
	IF Captcha-token = New token
		User <- "Correct! You are a human."
	ELSE
		User <- "Incorrect, please try again."

Requirements

PHP4.2+ (May work with older versions)
GD with FreeType enabled

Install

1. Replace "OASDOIJQWOIJDASDOI" in captcha/easycaptcha.php, and the code snippets below, with a different secret code.
2. Copy the EasyCaptcha directory into the directory which contains the code you want to protect.
3. Copy the two code snippets below into the appropriate places. One snippet shows the captcha image, the other snippet validates the captcha hash.

Print captcha image code: Insert this code into the registration/comment form, where you want the user to view the image and enter the captcha code in.

print '<img src="captcha/easycaptcha.php" /><br />
	
	Enter code from above image: 
		<input type="text" name="confirm_code" />';

Validate captcha token code: Insert this code whenever you want to make sure the user can go no further if they haven't entered the captcha.

if (empty($_REQUEST['confirm_code']))
{
	die("Confirm code not given.");
}
else
{
	if ( isset($_COOKIE['Captcha']) )
	{
		list($Hash, $Time) = explode('.', $_COOKIE['Captcha']);
		if ( md5("OASDOIJQWOIJDASDOI".$_REQUEST['confirm_code'].$_SERVER['REMOTE_ADDR'].$Time) != $Hash )
		{
			die("Captcha code is wrong.");
		}
		elseif( (time() - 5*60) > $Time)
		{
			die("Captcha code is only valid for 5 minutes.");
		}
	}
	else
	{
		die("No captcha cookie given. Make sure cookies are enabled.");
	}
}

Download

View the source of the sample used in this page.

Download EasyCaptcha

Install guides for phpBB 2 and phpBB 3 (Update 14/3/09)

Replaces the broken phpBB capture seamlessly

See this guide for info on installing into phpBB2/3 specifically, or if you want to install to a different piece of software and want to see what's typical.

Using EasyCaptcha for e-mail validation

E-mail validation step 1

If you're using EasyCaptcha for user registration you'll need to validate e-mails with as little fuss as possible, and this can also be done very simply and elegantly using EasyCaptcha.

Credits

Thanks to the Edward Eliot for PhpCaptcha (BSD licensed): PhpCaptcha contains the image generation code, EasyCaptcha acts as a wrapper around it, using standard PhpCaptcha options to make a good captcha and providing file/database-free captcha-code validation.