Captcha-howto - Graphic-Captcha to protect a form against spam

last update 21.Jul.2008

Rate this site:

Complete example

Graphic-Captcha to protect a form against spam

A captcha to protect a form against spam - complete example incl. source code

By Example 1 i'll show you how easy you can integrate a captcha into an existing or a new PHP-script. Remember: the use of example 1 is not advisable - it's only an example! You'll find other captchas on this website, which are more secure. Because e.g. RapidShare has used a similar script on their website, which was cracked after a short time.

Part 1: Script explanation
Part 2: Integrate the captcha into a form
Part 3: Check to captcha code
Part 4: Download

Part 1: Script explanation (example1.php):

example1.php displays the captcha-image and sends the random code per session variable to the form.

<?php
session_start(); //Attention: must be on top of the script + HTML-form

//################################################
// ATTENTION: PLEASE EDIT !
// An additional salt string for better md5 encoding
$secret = '7nS8Yx1w'; //insert your own secret string!
// Path to TTF-file:
$font = "/srv/www/htdocs/website/tahoma.ttf"; //web
// $font = "C:/xampp/htdocs/website/tahoma.ttf"; //Windows
//################################################

$width = 90; //image width
$height = 60; //image height
$fontsize = 48; //Font-size
$pos_x = 2; //X-position of 1. left character
$pos_y = 53; //Y-position position of the fonts baseline

//all chars we'll use
$ar = array("1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F", "G", "H", "K", "L", "N", "P", "R", "S", "T", "U", "V", "X", "Y", "Z");
$count = count($ar)-1; //count all chars

//create random code
mt_srand((double)microtime()*1000000); //only for PHP < v4.20! Initialize the random generator
$char1 = $ar[mt_rand(0,$count)];
$char2 = $ar[mt_rand(0,$count)];
$char3 = $ar[mt_rand(0,$count)];
$randomcode = $char1 . $char2 . $char3;
$_SESSION['randomcode'] = md5($randomcode.$secret); //Save the encoded code in session variable

$im = imagecreatetruecolor($width, $height); //Create image
$background = imagecolorallocate($im, 255, 255, 255); //Background color
$border = imagecolorallocate($im, 0, 0, 0); //Border color
imagefilledrectangle($im, 0, 0, $width - 1, $height - 1, $background); //fill image with background color
imagerectangle($im, 0, 0, $width - 1, $height - 1, $border); //draw border

//the 3 colors we'll use:
//Syntax: [$image],[red(0-255)],[green(0-255)],[blue(0-255)],[transparency(0-127)]
$red = imagecolorallocatealpha($im, 255, 0, 0, 50);
$green = imagecolorallocatealpha($im, 0, 255, 0, 70);
$blue = imagecolorallocatealpha($im, 0, 0, 255, 90);

//Insert the 3 chars:
//Syntax: [$image],[font-size],[angle],[X-position],[Y-position],[color],[font],[text]
ImageTTFText ($im, $fontsize, mt_rand(-6,6), $pos_x + 0, $pos_y, $red, $font, $char1);
ImageTTFText ($im, $fontsize, mt_rand(-6,6), $pos_x + 22, $pos_y, $green, $font, $char2);
ImageTTFText ($im, $fontsize, mt_rand(-6,6), $pos_x + 44, $pos_y, $blue, $font, $char3);

header('Content-type: image/png'); //Send HTTP-header
imagepng($im); //Image output (format PNG) to browser
imagedestroy($im); //frees any memory associated with image
?>

Part 2: Integrate the captcha into a form (form1.php):

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Captcha</title>
</head>
<body>
<form id="form1" name="form1" method="post" action="<?=$_SERVER['PHP_SELF'];?>">
Name:
<input type="text" name="name" id="name" />
Email:
<input type="text" name="email" id="email" />
Verifycode:
<img src="path/example1.php" alt="" />
Verifycode:
<input type="text" name="verifycode" id="verifycode" />
Comment:
<textarea name="comment" id="comment" cols="55" rows="2"></textarea><br />
<input type="submit" name="send" id="send" value="Send" />
</form>
</body>
</html>

Result:

Please note:
1. You have to edit the path (src="path/example1.php") if script and form files are in different directories.
2. The action-attribute (action="<?=$_SERVER['PHP_SELF'];?>"), will call back the same form after pressing the send-button. I.e. the evaluation and further processing also take place by the form and you have to start on top of the script a PHP-session with <?php session_start(); ?>. Otherwise you have to insert the path and script filename into the action-attribute.

Part 3: Check the captcha code:

We use the above-mentioned action-attribute and inserting the following PHP-code before the <form>-Tag:

<?php
$secret = '7nS8Yx1w'; //salt string must be the same like in example1.php!

if(isset($_POST['send'])){ //Send-Button was pressed?
//randomcode and verifycode is equal?
if($_SESSION['randomcode'] == md5(strtoupper($_POST['verifycode']).$secret)){
echo 'OK! Now we can evaluate all form data...';
}else{
echo 'Error! ...';
}
}
?>
... here comes our form
<form id="form1" name="form1" method="post" action="<?=$_SERVER['PHP_SELF'];?>">
...

Note: the script above only checks that the send-button was pressed and that the randomcode was the same as the verifycode. The script doesn't check the other form data, like e.g. an empty or valid name, comment and E-Mail-address (see SPAM-Protection: E-Mail form), but it was integrated into the downloadable file captcha_en.zip.

Part 4: Download:

captcha_en.zip