My Die Captcha

[mase]

For those who don't know, captcha is the image that has random numbers/letters in it when you register on most sites.

HTML:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Mase tests Register</title>
</head>
<script type="text/javascript">
var caps = new Array;
caps[1] = "side1.gif";
caps[2] = "side2.gif";
caps[3] = "side3.gif";
caps[4] = "side4.gif";
caps[5] = "side5.gif";
caps[6] = "side6.gif";
function setCap(){
	var form = document.getElementById('capval');
	var rnd = Math.floor(Math.random()*6)+1;
	var img = document.getElementById("capimg");
	img.src = caps[rnd];
	form.value = rnd;
}
</script>

<body onload="setCap()">
<img id="capimg" alt="" src="" />
<form action="process.php" method="POST" name="registerform" id="registerform">
	<input type="hidden" name="capval" id="capval" value="" />
	<select name="cap">
	  <option value="0" selected="selected">Choose One</option>
	  <option value="1">Side 1</option>
	  <option value="2">Side 2</option>
	  <option value="3">Side 3</option>
	  <option value="4">Side 4</option>
	  <option value="5">Side 5</option>
	  <option value="6">Side 6</option>
	</select>
	<input type="submit" value="OK" />
	<input type="hidden" value="reg" name="action" />
</form>
</body>
</html>

PHP:

<?
	$caprealanswer = $_POST["capval"];
	$capanswer = $_POST["cap"];
	if ($capanswer == $caprealanswer){
		echo "Correct!<br />";
	} else {
		echo "Incorrect!<br />";
	}
	echo $capanswer . "<br />";
	echo $caprealanswer
?>

HTML/PHP/Images in a zip attached.

 

[Rinpun]

Pretty good. However, if I may offer constructive criticism, people can get around this captcha by searching automatically for the images mentioned (someone can view source, work on figuring it out, and write a program to look for it). To make this harder, I suggest you find some way of taking those images and randomizing their name. That is, take side1 and turn it into side1_EAP2523JO235KE253.gif temporarily. Not sure how I can explain it, but hopefully you understand what I mean.

 

[DDRtists]

Too easy.

They make an EXE that scans the page, then searches for pixels. BOOM, they got the number.

Thats how a lot of bots do things.

 

[Tonks]

Better yet, have a question with a dropdown menu. "Are you a Bot?" [Yes (Default)], [Yes], [No].

It catches most bots.

 

[DDRtists]

Make easy questions like these:

4+6=
What does R + E + D Spell?
Are you a bot?

And if you want to make it harder for them to guess, randomly spell some things wrong.

 

[phyrex1an]

You don't even have to write a program. Breaking this captcha only requires minor html skills. Also, someone with javascript turned of wont be affected by this script.

Just create this form on your local computer and add values as you wish (eg login info or registrer info)

<form action="urltosite.net/process.php" method="post">
	<input type="hidden" name="capval" value="1" />
        <input type="hidden" name="cap" value="1" />
	<!-- Other fields -->
	<input type="submit" value="OK" />
	<input type="hidden" value="reg" name="action" />
</form>

It's a very bad idea to have the user submitt both the input value and the controll value in a captcha...

 

[mase]

Well, I'm going to redo the captcha to use PHP instead of JS so I can create random images with PHP and save the letters in the form (capval) and then send it.

 

[Persen]

Usually, the image is just GD generated = no file on drive

 

[DDRtists]

OKay...

1. Make it PHP.
2. Make it Random Images with the GD Module.
3. Store the string in a session variable.

If you store it in a session variable, they can't get to it...

 

[mase]

My Captcha v2!!

Under reconstruction...

Uses php to create a random 10 letter lower case sentance with letters and numbers.

reg.php

<?
	session_start();
	$ip = $_SERVER['REMOTE_ADDR'];
	$alphabet = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0');
	srand(time());
	$randstr = "";
	for ($i=0; $i<10; $i++){
		$random = (rand() % sizeof($alphabet));
		$randstr .= $alphabet[$random];
	}
	$_SESSION["capval" . $ip] = $randstr;
	$im = @imagecreatetruecolor(100, 25) or die("Cannot Initialize new GD image stream");
	$text_color = imagecolorallocate($im, 255, 255, 255);
	imagestring($im, 2, 10, 5,  $randstr, $text_color);
	imagejpeg($im, 'capimg.jpg', 100);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Mase tests Register</title>
</head>

<body onload="">
<img id="capimg" alt="" src="capimg.jpg" />
<form action="process.php" method="POST" name="registerform" id="registerform">
	<input type="text" name="cap" size="15" maxlength="10" />
	<input type="submit" value="OK" />
	<input type="hidden" value="reg" name="action" />
	<input type="hidden" value="<?=$ip?>" name="ip" />
</form>
</body>
</html>

process.php:

<?
	session_start();
	$ip = $_POST['ip'];
	$caprealanswer = $_SESSION["capval" . $ip];
	$capanswer = $_POST["cap"];
	if ($capanswer == $caprealanswer){
		echo "Correct!<br />";
	} else {
		echo "Incorrect!<br />";
	}
?>

 

[phyrex1an]

Much better, only one problem left
If someone submitts the form when the session isn't set (eg from another page than your page) then the test will pass if the "cap" field is set to an empy field.
Just add a test to make sure that the capval . $ip field is set.

Btw, why not have the script that creates the image in it's own file, that you don't have to write a file to the file system but can dump it to the browser directly. Also have the side effect that this works on more trafficed sites. The currect setup have a chance of failure if two users browse the page at once.
Another thing you can do if you put the image script in it's own file is to make sure that the browser doesn't cache the image.

 

[mase]

Lol, good point. Thanks for the tips.

-Edit-

I don't get GD Generated images very much so I'm really confused on how to do what you said phyrex...
Would making the image code an .inc work?

 

[phyrex1an]

You don't have to dump gd images to the file system (like you are doing now), for dynamic images it's often a much better choose to send them directly to the browser. In your case saving the image to the file system might lead to some evil bugs.

Like:
1. User one requests reg.php and gets a capval. The image capimg.jpg is created with that capval.
2. User two requests reg.php and gets a capval. The image capimg.jpg is replaced with a new image with that capval.
3. User one requests capimg.jpg and gets user two image (since his own image was replaced when his browser was downloading the document) but he still have it's own capval in the session. When the user enters the characters on the image he will get an error.

img.php

<?
    header("Content-type: image/jpeg");
    session_start();
    $ip = $_SERVER['REMOTE_ADDR'];
    $alphabet = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0');
    srand(time());
    $randstr = "";
    for ($i=0; $i<10; $i++){
        $random = (rand() % sizeof($alphabet));
        $randstr .= $alphabet[$random];
    }
    $_SESSION["capval" . $ip] = $randstr;
    $im = @imagecreatetruecolor(100, 25) or die("Cannot Initialize new GD image stream");
    $text_color = imagecolorallocate($im, 255, 255, 255);
    imagestring($im, 2, 10, 5,  $randstr, $text_color);
    imagejpeg($im, '', 100);
    imagedestroy($im);
?>

reg.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Mase tests Register</title>
</head>

<body onload="">
<img id="capimg" alt="" src="img.php" />
<form action="process.php" method="POST" name="registerform" id="registerform">
    <input type="text" name="cap" size="15" maxlength="10" />
    <input type="submit" value="OK" />
    <input type="hidden" value="reg" name="action" />
</form>
</body>
</html>

process.php:

<?
    session_start();
    $ip = $_SERVER['REMOTE_ADDR'];
    $caprealanswer = $_SESSION["capval" . $ip];
    $capanswer = $_POST["cap"];
    if ($capanswer == $caprealanswer){
        echo "Correct!<br />";
    } else {
        echo "Incorrect!<br />";
    }
?>

I think it would be even better to do the randomization in reg.php and just deal with image output in img.php.

 

[mase]

You don't have to dump gd images to the file system (like you are doing now), for dynamic images it's often a much better choose to send them directly to the browser. In your case saving the image to the file system might lead to some evil bugs.

Like:
1. User one requests reg.php and gets a capval. The image capimg.jpg is created with that capval.
2. User two requests reg.php and gets a capval. The image capimg.jpg is replaced with a new image with that capval.
3. User one requests capimg.jpg and gets user two image (since his own image was replaced when his browser was downloading the document) but he still have it's own capval in the session. When the user enters the characters on the image he will get an error.

Actually, I have a custom session for each IP so I don't think they would have been over written if someone else was on that page also ><

Well, I'm going to make the capimg.php and then include it into the reg.php ><

-Edit-

Its not working... I have it as the capimg.php with the image codes only (header, and creation) then I include it and it completly messes up WTH?

 

[phyrex1an]

>I have a custom session for each IP so I don't think they would have been over written if someone else was on that page also
It's not the session that is the problem. It's the image.Currently your script creates an image to the file system, and the file system is shared between every instance of the script. Think about it as a global variable

>Its not working... I have it as the capimg.php with the image codes only (header, and creation) then I include it and it completly messes up WTH?
You should not include it. You should link to that file from your <img src="..." />
Look at the code I posted, it should be working.

 

[mase]

Lol, didnt see the src part my bad.

 

[DDRtists]

I saw the best Captcha thing today, on the Panda3D game engine site, it said "Check the box next to each picture of an animal". And listed like 15 pictures.

Pretty cool.