A properly implemented captcha does not reveal the phrase as part of the page served to the user. It is instead retained in memory. Without knowing the name of the session variable, it should not possible to inject a new value and response to the captcha in that session variable. Webmasters should take note that this is a potential security issue and they should take the time to alter variable names in all downloaded scripts, especially those pertaining to security and anti-spam or anti-phishing strategies. Within the captcha script will be something along the lines of $_SESSION['captcha_phrase'] = $code; Change 'captcha_phrase' to something unique in the captcha script and in any other scripts which call it.