1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Different kind of CAPTCHA

Discussion in 'PHP' started by Triexa, May 22, 2007.

  1. #1
    I thought I would post this for anyone to use, and also to hopefully get some feedback. Some image CAPTCHAs are easy to read, others I've failed up to 3 times...

    So, this is a completely different approach - plus it doesn't even require GD support:

    function generateCaptcha() {
    	do {
    		$num1 = rand(0, 10);
    		$num2 = rand(0, 10);
    		$operator = rand(0, 1);
    		$type = rand(0, 3);
    		
    		if ($operator == 0) { // Subtract
    			switch ($type) {
    				case 0:
    					$question = "$num1 - $num2";
    					break;
    				case 1:
    					$question = "$num1 minus $num2";
    					break;
    				case 2:
    				case 3:
    					$question = "Subtract $num2 from $num1";
    					break;
    			}
    			$answer = $num1 - $num2;
    		}
    		else { // Add
    			switch ($type) {
    				case 0:
    					$question = "$num1 + $num2";
    					break;
    				case 1:
    					$question = "$num1 plus $num2";
    					break;
    				case 2:
    					$question = "Add $num1 and $num2";
    					break;
    				case 3:
    					$question = "The sum of: $num1 + $num2";
    					break;
    			}
    			$answer = $num1 + $num2;
    		}
    	} while ($answer < 0);
    	
    	$answer = md5(md5($answer) . 'somestring');
    	
    	return array('question' => $question, 'answer' => $answer);
    }
    
    function verifyCaptcha($input, $answer) {
    	return (md5(md5($input) . 'something') == $answer) ? true : false;
    }
    PHP:
    And then you could do something like:

    $captcha = generateCaptcha();
    // login/submit form:
    // <input type="hidden" name="captcha_answer" value="<?=$captcha['answer']?>">
    // Prove you're human: <?=$captcha['question']?>
    // <input type="text" name="captcha" size="3">
    PHP:
    and then finally

    $status = verifyCaptcha($_POST['captcha'], $_POST['captcha_answer']);
    PHP:
    Clearly rough example, but what do you guys think?
     
    Triexa, May 22, 2007 IP
  2. zonzon

    zonzon Peon

    Messages:
    100
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #2
    hum, very nice idea! but how do you generate the image?

    I love the concept of using more human intelligence to enforce the proof that's a real human! ;)
     
    zonzon, May 22, 2007 IP
  3. Triexa

    Triexa Active Member

    Messages:
    580
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    53
    #3
    There is no image, its text
     
    Triexa, May 22, 2007 IP
  4. rosiee007

    rosiee007 Notable Member

    Messages:
    3,352
    Likes Received:
    179
    Best Answers:
    0
    Trophy Points:
    230
    #4
    There is no image. The user will see a question like 'What is the sum of 2+3' and should enter the result in the text box for validation.
     
    rosiee007, May 22, 2007 IP
  5. dp-user-1

    dp-user-1 Well-Known Member

    Messages:
    794
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    110
    #5
    I've seen this on a few sites. It's a nice change.
     
    dp-user-1, May 22, 2007 IP
  6. DW1

    DW1 Peon

    Messages:
    111
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I like this idea but it would be easier to hack if someone wanted to target you...

    For added security you could load the challenge string with JavaScript/AJAX. Most hackers don't do JavaScript (but I'm sure that, too, is possible).

    Regards
     
    DW1, May 23, 2007 IP
  7. xooMan

    xooMan Peon

    Messages:
    92
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #7
    I have seen this on Matt Cutts' blog. And his site is pretty popular, but he doesn't seem to experience problems with this approach. So, you might consider using it on your site.
     
    xooMan, May 23, 2007 IP
  8. DW1

    DW1 Peon

    Messages:
    111
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Direct attacks are indeed rare - I'm just paranoid and a code perfectionist :D
     
    DW1, May 23, 2007 IP
  9. coderbari

    coderbari Well-Known Member

    Messages:
    3,168
    Likes Received:
    193
    Best Answers:
    0
    Trophy Points:
    135
    #9
    this is good work,i like it :D
     
    coderbari, May 24, 2007 IP
  10. Triexa

    Triexa Active Member

    Messages:
    580
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    53
    #10
    Just to let you all know, on another forum a fatal flaw was pointed out...

    The user just needs to find one answer, then post that captcha_answer and the answer to the question, and every time if will be valid...

    The captcha_answer would need to be stored in a session
     
    Triexa, May 24, 2007 IP
  11. DW1

    DW1 Peon

    Messages:
    111
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #11
    This can be avoided with most Captchas. Upon verification simply unset the session var....
     
    DW1, May 24, 2007 IP
  12. manilodisan

    manilodisan Peon

    Messages:
    224
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #12
    I use it but still sucks. I already have clever spam bots that manage to do the math and enter the right sum....
     
    manilodisan, May 24, 2007 IP
  13. tandac

    tandac Active Member

    Messages:
    337
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    58
    #13
    One thing I've added into my sites is random field names.
     
    tandac, May 24, 2007 IP
    ErectADirectory likes this.
  14. ErectADirectory

    ErectADirectory Guest

    Messages:
    656
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #14
    Stinking genius!!! This is almost perfect unless you get a spider bot that reads on the fly.
     
    ErectADirectory, May 25, 2007 IP
  15. projectshifter

    projectshifter Peon

    Messages:
    394
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #15
    I'd assume most spider bots are semi-intelligent unless they had someone brainless coding them. It wouldn't take too long to write a spider that would pretty much get around any kind of form you can think up, it's a simple concept, you just have to try to stay one step ahead of substandard coders, if someone really wants to they'll find a way.
     
    projectshifter, May 25, 2007 IP
  16. ErectADirectory

    ErectADirectory Guest

    Messages:
    656
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Absolutely, and you assume wrong. The point is to keep out most of the riff raff, not all of it. There is always someone smarter than you or I .... unfortunately most decide to get into this profession.

    And no it wouldn't take long, but most existing ones currently do not. I would wager that if you used this method right now, < 1% would get through. But as we all know, the captcha thing is an ongoing process. Next year, if many sites use this form of security, we will have to change our plans.
     
    ErectADirectory, May 26, 2007 IP
  17. projectshifter

    projectshifter Peon

    Messages:
    394
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Very true. This is always the problem with creating new security, it's only as good as time allows. This would probably knock out 90+% of spiders, too bad they keep spending so much money trying to tell us about viagra and how to make our penises thicker :(
     
    projectshifter, May 26, 2007 IP
  18. krakjoe

    krakjoe Well-Known Member

    Messages:
    1,795
    Likes Received:
    141
    Best Answers:
    0
    Trophy Points:
    135
    #18
    No offence, but it's rubbish.

    
    <?php
    function break_the_poor_captcha( $question )
    {
        if( preg_match( '~([0-9]+) (minus|-) ([0-9]+)~i', $question, $numbers ) )
        {
            return $numbers[1] - $numbers[3];
        }
        elseif( preg_match( '~Subtract ([0-9]+) from ([0-9]+)~i', $question, $numbers  ) )
        {
            return $numbers[2] - $numbers[1];
        }
        elseif( preg_match( '~([0-9]+) (plus|\+|and) ([0-9]+)~i', $question, $numbers ) )
        {
            return $numbers[1] + $numbers[3];
        }
        elseif( preg_match( '~Add ([0-9]+) and ([0-9]+)~i', $question, $numbers ) )
        {
            return $numbers[1] + $numbers[2];
        }
        elseif( preg_match( '~The sum of: ([0-9]+) (plus|\+|and) ([0-9]+)~i', $question, $numbers ) )
        {
            return $numbers[1] + $numbers[3];
        }
        else return "Theres no pattern for that question, however it will take seconds to write one";
    }
    $test = array(
        "The sum of: 20 and 14",
        "30 minus 14",
        "30 - 10",
        "Subtract 10 from 40",
        "50 plus 10",
        "50 + 19",
        "40 and 10",
        "Add 40 and 19",
        "The sum of: 10 plus 10",
        "The sum of: 10 + 12"
    );
    foreach( $test as $question )
    {
        printf("<font color=blue>%s</font> : <font color=red>%s</font><br />", $question,  break_the_poor_captcha( $question ) );
    }
    ?>
    
    PHP:
    Think about it, anything you make programmatically can be broken programmatically, spend your time developing the existing captcha methods that actually work, if using text questions were a viable way of authenticating a user was genuine thats how it would be done.

    I really don't think it's a very good method in the slightest, it's different sure, but it took ten minutes to write that and for as many patterns as you can generate questions with I can write regex to break them, it's pointless.
     
    krakjoe, May 27, 2007 IP
  19. ccasselman

    ccasselman Peon

    Messages:
    412
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    0
    #19
    The key is to make something specific for your site. Don't use a third party and don't republish it. Something that a mass cracker will not break yours. It requires specific time just for your site, which most are willing to put in. If it get's cracked, change it again to something else specific.

    Or rotate several ways.
     
    ccasselman, May 27, 2007 IP
  20. krakjoe

    krakjoe Well-Known Member

    Messages:
    1,795
    Likes Received:
    141
    Best Answers:
    0
    Trophy Points:
    135
    #20
    It won't make any difference, as soon as you think of a way to get around the ppl that have broken your captcha methods, someone will have already thought of a way around it, it really wont work ..... why not try something with actual merit, like a video captcha ......

    The people who are using these methods are just hoping that no-one cares enough to spend the time to see all the patterns it could create, that doesn't mean it can't be done, and if your content is important enough someone will do that.
     
    krakjoe, May 27, 2007 IP