Tutorials @ WebDesignPro

home > tutorials >

CAPTCHA Alternatives

Added a CAPTCHA script to your sites guest book but still getting spam?
Do you get complaints from visitors that can't read the distorted capture text?

Below is a list of some CAPTCHA alternatives and example implementations.

The W3C have a fair bit to say about CAPTCHA systems and the accessibility and usability issues that arise from forcing users to read distorted images. We recommend you read this article: http://www.w3.org/TR/turingtest/

• Question CAPTCHA
• Image CAPTCHA
• Audio CAPTCHA
• More forms security

Question CAPTCHA

Question captchas attempt to resolve usability and accessibility issues in the conventional captcha method by asking the user to type the answer to a question instead of the distorted, and all too often unreadable, security code. The answer will usually be selected from a multiple choice list, this will reduce the chance of spelling mistakes.

To effectively implement this system you would need to add a whole load of questions and answers. This is certainly one of the main limitations of this method.

Below is some example code, it is in no way a complete security check but it should give some idea of how to implement this kind of system.

// Create the 3 files below and upload them to your server // qArray.php <?php $qs = array( // Array of questions and possible answers. 1 question/4 answers '0' => array('which of the following are birds?','wren,robin,hawk,dove'), '1' => array('which of the following are colours?','red,blue,green,pink'), '2' => array('which of the following are eating implements?','spoon,fork,knife,chopsticks') ); $arrlen = count($qs)-1; ?> // form.php <?php session_start(); include_once('qArray.php'); $_SESSION[qn] = rand(0,$arrlen); $_SESSION[answn] = rand(0,3); $q = $qs[$_SESSION[qn]]; echo $q[0].'<br>'; $answs = explode(',',$q[1]); // Overwrite answers of current question to avoid duplicate correct answers $qs[$_SESSION[qn]][1] = 'arm,leg,hand,nose'; // select answers from a random question $fills = $qs[rand(0,$arrlen)][1]; $fills = explode(',',$fills); $qarr = array($answs[$_SESSION[answn]],$fills[0],$fills[1],$fills[2],$fills[3]); shuffle($qarr); ?> <form action="test_submit.php" method="post"> <?php foreach($qarr as $k){ echo $k.'<input name="answer" type="radio" value="'.$k.'"><br>'; } ?> <input name="subm" type="submit" value="Submit Answer"> </form> // submit.php <?php session_start(); include_once('qArray.php'); // select the array of answers $q = $qs[$_SESSION[qn]]; $answs = explode(',',$q[1]); if (isset($_POST[subm])){ if (in_array($_POST[answer],$answs)){ //was the posted answer in the array for the question? echo 'Success you got it right'; //Process form } else echo 'Sorry you got it wrong'; } ?>

Image CAPTCHA

Image captcha is similar to the question capture except it prompts the user to select from a list that which it is they are seeing in the image. This again is limited to the amount of images it is humanly possible to upload.

With a little modification to the code we used in the question captcha above we can easily implement an image capture:

// 1.Create a new file and call it qIm.php // 2.Create a folder called vimg, preferably below web root // 3.Upload a gif for each answer (red.gif,blue.gif...) to the vimg dir // 4.Modify the first line of the code below to represent the path to vimg dir // qIm.php <?php $vimdir = 'home/user/vimg/' include_once('qArray.php'); header ("Content-type: image/gif"); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); session_cache_limiter("nocache"); session_start(); $q = $qs[$_SESSION[qn]]; $ims = explode(',',$q[1]); $im = imagecreatefromgif($vimdir.$ims[$_SESSION[answn]].'.gif'); if (!$im) { $im = imagecreatetruecolor (150, 30); $bgc = imagecolorallocate ($im, 255, 255, 255); $tc = imagecolorallocate ($im, 0, 0, 0); imagefilledrectangle ($im, 0, 0, 150, 30, $bgc); imagestring ($im, 1, 5, 5, "Error loading image", $tc); } imagegif($im); ?> // Add the image tag to form.php <img src="test_im.php" />

By plugging in to more of PHPs image manipulation functions you could randomise the backgrounds of your images and increase the variation. Don' go overboard with the image manipulation though, remember that we're trying to make something more usable and accessible than the conventional method.

Audio CAPTCHA

Audio captcha is most commonly used in conjuction with the conventional distorted text captcha as a means to resolve accessibility issues, ie. the visually impaired are able to use the application.

Audio captcha works in a similar way to the conventional text method except the user will be presented with an audio clip of a string, word, phrase or question, the result of which must be typed into the form verification field. Similarly to the text method audio needs to be distorted in order of beeting the SPAM bots. You could either distort the spoken clips themselves or you could use different background noises.

Sorry, no example for the audio captcha yet..

More ways of securing your pages and preventing spam bots

Reverse DNS check

You can check to see whether or not the ip that the visitor is claiming is genuine by doing a reverse DNS check

$ip = $_SERVER['REMOTE_ADDR']; $host = gethostbyaddr($ip); $realip = gethostbyname($host); if($ip != $realip){ die('IP mismatch! Access has been denied...'); }

Profanity filter

In my experience the vast majority of web site SPAM I get is litterally riddled with a handful of keywords that no genuine poster would be using. By checking user input for these keywords we can write an application that will send us a warning message if those keywords are found. We could even write the ip address straight to the .htaccess file and block them immediately.

Always filter your input

This is subject for a whole other tutorial and more, but if you're not already, you should ALWAYS filter your input.

// Always check that the data your application is being sent is in the format that is expected // Expecting a whole number? if (ctype_alpha($_POST[myNum])){ $valid = true; } // Expecting an alpha numeric string? if (!ctype_alnum($_POST[myString])){ $valid = false; } // Need to match a more complex pattern? $pattern = '/^customregex/'; if (preg_match($pattern, $_POST[myCustom])){ $valid = true; }

No-follow in posted links

If you allow your guestbook visitors to post links in their messages then adding no-follow to the rel attribute of your links can help reduce spam. Using the rel="nofollow" attribute will deter spammers as the link will be ignored by the SE spiders and hence will not increase the Page Rank of the spammers site. There's a good explanation of this at Yahoo help

<a href="http://spam.spam/">Get ripped off here</a> becomes: <a href="http://spam.spam/" rel="nofollow">Get ripped off here</a>

More form processing security

http://phpsec.org/projects/guide/2.html
http://www.onlamp.com/pub/a/php/2004/08/26/PHPformhandling.html
http://shiflett.org/articles/file-uploads

Comments:

Featured Script