Reprints Online

Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Securing Web Forms with Simple PHP-CAPTCHA


Guru

Status: Offline
Posts: 599
Date:
Securing Web Forms with Simple PHP-CAPTCHA
Permalink  
 


CAPTCHA an acronym for "completely automated public Turing test to tell computers and humans apart ". CAPTCHA technology enables you to discern human requests from computer generated requests on the Web, where such a distinction is difficult. Simply defined "Man can read machine can't!"

In web available forms are always prone to attack by people who want to use your application for their own purposes. Many web sites use the CAPTCHA especially used to prevent bots from using various types of computing services.

The applications include preventing bots from taking part in online polls, registering for free email accounts, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered [implemented in Yahoo]. They have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites.

You have probably seen the CAPTCHA project in action at some of your Web destinations. Its principal tool is a randomly created image that contains a phrase unmentioned in computer-readable text on the rendered page. The form asks the user to provide the phrase. If the form post does not contain the correct phrase, you can safely assume either the human made a user error, or it wasn't a human at all.

Now it's time to put this code to work. A simple and often-used interface to implement this new security measure is the form on website. In this form you typically capture random number.

<code> <form name="form1" method="post" action="form.php" "> <table width="342" align="center" cellspacing="0" bgcolor="#D4D0C8"> <tr> <td align="center"><img src="php_captcha.php"></td><td align="center"> Please enter the string shown in the image in the form.
</td><td align="center"><input name="number" type="text"></td><td><input name="Submit" type="submit" value="Submit"></td> </tr></table></form> </code>

The following code use to create random numbers and this number are embedding with existing image file, the first line used to initiate session, which use to carry the user inputs.

<code> <?php session_start(); $RandomStr = md5(microtime()); $ResultStr = substr($RandomStr,0,5); $NewImage =imagecreatefromjpeg("img.jpg"); ?> </code> The second line [md5 (microtime ())] use to generate the random string, and the resultant string is trim by using third line [substr], which returns the portion of string specified by the start and length parameters. The function imagecreatefromjpeg ("img.jpg") is use to create a image by existing image file and as back ground ,so that you need to give an image file path.

<code> <?php $LineColor = imagecolorallocate($NewImage,233,239,239); $TextColor = imagecolorallocate($NewImage, 255, 255, 255); imageline($NewImage,1,1,40,40,$LineColor); imageline($NewImage,1,100,60,0,$LineColor); imagestring($NewImage, 5, 20, 10, $ResultStr, $TextColor); ?> </code>

After creation of back ground image, we generate some linear line, which is use to avoid the phrasing from random numbers, the respective lines are create by the function named imageline () and imagestring () use to draw a random string horizontally.

<code> <?php $_SESSION['key'] = $ResultStr; ?> </code>

The resultant random number [trimmed one], carry through session especially for validation purpose.

<code> <?php header("Content-type: image/jpeg"); imagejpeg($NewImage); ?> </code>

Finally above two functions are uses to display/out put the image to browser. So we can just call the particular file by through image source path, it will display the final image.

<code> <?php if(isset($_REQUEST['Submit'])){ $key=substr($_SESSION['key'],0,5); $number = $_REQUEST['number']; if($number!=$key){ echo ' Validation string not valid! Please try again!';} else{ echo ' Your string is valid!';} } ?></code>

I hope you know about the above code functionality, it's about validating the user in put and actual random number, depends upon the application you may use the if and else conditions, that's all

Conclusion CAPTCHA can be a great way to limit the amount of successful, unwanted HTTP POST requests in your application, CAPTCHAs are by definition fully automated, requiring little human maintenance or intervention in administering the test. This has obvious benefits in cost and reliability; I hope the simple code is useful to understand the concept. Happy CAPTCHA-ing!

About the Author

Sujith,I Began tinkering with web development as professional in 2004 ,currently working in the IT department ,Insoft,I has experience developing web solution with java script ,PHP,TAL,MYSQL,Oracle and Apache and animation solution with Flash ,Swish and sound Forge.



__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard