I thought I would post this for anyone to use, and also to hopefully get some feedback. Some image CAPTCHAs are easy to read, others I've failed up to 3 times... So, this is a completely different approach - plus it doesn't even require GD support: function generateCaptcha() { do { $num1 = rand(0, 10); $num2 = rand(0, 10); $operator = rand(0, 1); $type = rand(0, 3); if ($operator == 0) { // Subtract switch ($type) { case 0: $question = "$num1 - $num2"; break; case 1: $question = "$num1 minus $num2"; break; case 2: case 3: $question = "Subtract $num2 from $num1"; break; } $answer = $num1 - $num2; } else { // Add switch ($type) { case 0: $question = "$num1 + $num2"; break; case 1: $question = "$num1 plus $num2"; break; case 2: $question = "Add $num1 and $num2"; break; case 3: $question = "The sum of: $num1 + $num2"; break; } $answer = $num1 + $num2; } } while ($answer < 0); $answer = md5(md5($answer) . 'somestring'); return array('question' => $question, 'answer' => $answer); } function verifyCaptcha($input, $answer) { return (md5(md5($input) . 'something') == $answer) ? true : false; } PHP: And then you could do something like: $captcha = generateCaptcha(); // login/submit form: // <input type="hidden" name="captcha_answer" value="<?=$captcha['answer']?>"> // Prove you're human: <?=$captcha['question']?> // <input type="text" name="captcha" size="3"> PHP: and then finally $status = verifyCaptcha($_POST['captcha'], $_POST['captcha_answer']); PHP: Clearly rough example, but what do you guys think?
hum, very nice idea! but how do you generate the image? I love the concept of using more human intelligence to enforce the proof that's a real human!
There is no image. The user will see a question like 'What is the sum of 2+3' and should enter the result in the text box for validation.
I like this idea but it would be easier to hack if someone wanted to target you... For added security you could load the challenge string with JavaScript/AJAX. Most hackers don't do JavaScript (but I'm sure that, too, is possible). Regards
I have seen this on Matt Cutts' blog. And his site is pretty popular, but he doesn't seem to experience problems with this approach. So, you might consider using it on your site.
Just to let you all know, on another forum a fatal flaw was pointed out... The user just needs to find one answer, then post that captcha_answer and the answer to the question, and every time if will be valid... The captcha_answer would need to be stored in a session
I use it but still sucks. I already have clever spam bots that manage to do the math and enter the right sum....
I'd assume most spider bots are semi-intelligent unless they had someone brainless coding them. It wouldn't take too long to write a spider that would pretty much get around any kind of form you can think up, it's a simple concept, you just have to try to stay one step ahead of substandard coders, if someone really wants to they'll find a way.
Absolutely, and you assume wrong. The point is to keep out most of the riff raff, not all of it. There is always someone smarter than you or I .... unfortunately most decide to get into this profession. And no it wouldn't take long, but most existing ones currently do not. I would wager that if you used this method right now, < 1% would get through. But as we all know, the captcha thing is an ongoing process. Next year, if many sites use this form of security, we will have to change our plans.
Very true. This is always the problem with creating new security, it's only as good as time allows. This would probably knock out 90+% of spiders, too bad they keep spending so much money trying to tell us about viagra and how to make our penises thicker
No offence, but it's rubbish. <?php function break_the_poor_captcha( $question ) { if( preg_match( '~([0-9]+) (minus|-) ([0-9]+)~i', $question, $numbers ) ) { return $numbers[1] - $numbers[3]; } elseif( preg_match( '~Subtract ([0-9]+) from ([0-9]+)~i', $question, $numbers ) ) { return $numbers[2] - $numbers[1]; } elseif( preg_match( '~([0-9]+) (plus|\+|and) ([0-9]+)~i', $question, $numbers ) ) { return $numbers[1] + $numbers[3]; } elseif( preg_match( '~Add ([0-9]+) and ([0-9]+)~i', $question, $numbers ) ) { return $numbers[1] + $numbers[2]; } elseif( preg_match( '~The sum of: ([0-9]+) (plus|\+|and) ([0-9]+)~i', $question, $numbers ) ) { return $numbers[1] + $numbers[3]; } else return "Theres no pattern for that question, however it will take seconds to write one"; } $test = array( "The sum of: 20 and 14", "30 minus 14", "30 - 10", "Subtract 10 from 40", "50 plus 10", "50 + 19", "40 and 10", "Add 40 and 19", "The sum of: 10 plus 10", "The sum of: 10 + 12" ); foreach( $test as $question ) { printf("<font color=blue>%s</font> : <font color=red>%s</font><br />", $question, break_the_poor_captcha( $question ) ); } ?> PHP: Think about it, anything you make programmatically can be broken programmatically, spend your time developing the existing captcha methods that actually work, if using text questions were a viable way of authenticating a user was genuine thats how it would be done. I really don't think it's a very good method in the slightest, it's different sure, but it took ten minutes to write that and for as many patterns as you can generate questions with I can write regex to break them, it's pointless.
The key is to make something specific for your site. Don't use a third party and don't republish it. Something that a mass cracker will not break yours. It requires specific time just for your site, which most are willing to put in. If it get's cracked, change it again to something else specific. Or rotate several ways.
It won't make any difference, as soon as you think of a way to get around the ppl that have broken your captcha methods, someone will have already thought of a way around it, it really wont work ..... why not try something with actual merit, like a video captcha ...... The people who are using these methods are just hoping that no-one cares enough to spend the time to see all the patterns it could create, that doesn't mean it can't be done, and if your content is important enough someone will do that.