Le Minh Duc

On The Way

  • Meta

  • Categories

  • Usefull links

  • Interesting Photos

    Photonic Symphony

    Kuifmees / Crested Tit / Mésange huppée

    6922

    More Photos

Prevent automated registrations technique in PHP with simple CAPTCHA

Posted by LE MINH DUC on April 29, 2006

<?php bloginfo('name'); ?> <?php if ( is_single() ) { ?> » Blog Archive <?php } ?> <?php wp_title(); ?>

CAPTCHA is an acronym for "Completely Automated Public Turing Test to Tell Computers and Humans Apart". As the name suggests, it's a test to distinguish the degree of being human. You can read more about CAPTCHAs at Wikipedia or CAPTCHA site.Some of the Applications:

– Online polls: the poll requires that only humans can vote.
– Free email services: stop "bots" that sign up for thousands of email accounts every minute.
– Search engine bots – CAPTCHA image guarantee that bots won't enter a web site
– solution against email worms and spam: an email is accepted only if I know there is a human behind the other computer
– preventing dictionary attacks and brute force attacks for login pages.

In this post, I will share a simple technique to create CAPTCHA which I used in some of my first PHP projects. In the login page, as you can see, there is a random texture code rendered in image. The user has to key in correct username, password and also this code to login. In this example, the code (ex: 68897) will be changed when user refreshes the page.

Here is the HTML code to create the form: (index.php)

// index.php
<form action="login.php" method="post">
<table width="300" cellpadding="5" cellspacing="0" border="0">
<tr>
<td bgcolor="white"><div class="txt">Username</div></td>
<td bgcolor="white"><input type="text" size="30" maxlength="18" class="txt" name="username"></td>
</tr>
<tr>
<td bgcolor="white"><div class="txt">Password</div></td>
<td bgcolor="white"><input type="password" size="30" maxlength="18" class="txt" name="password"></td>
</tr>
<tr>
<td bgcolor="white">
<?
// Create Random number for security check
$t1=sha1(time().rand(1,999));
printf('<img src="index_button.php?t1=%s"><input type="hidden" value="%s" name="tc2">',$t1,$t1);
?>
< td>
<td bgcolor="white"><input type="text" size="30" maxlength="8" class="txt" name="tc"></td>
</tr>
<tr>
<td bgcolor="white">&nbsp;</td>
<td bgcolor="white"><input type="submit" size="30" class="txt" value="launch"></td>
</tr>
</table>
</form>
</code>

In this example, the code is calculated by the function: sha1(time().rand(1,999)). This function gets the sha1 hash of the product of a random number (from 1 to 999) and the current timestamp.
Then, the code is passed to index_button.php to generate CAPTCHA image:

//index_button.php
<?php
header("Content-type: image/png");
$string=substr(md5($_GET['t1']),7,5); // return string of 5 digits
$im=imagecreatefrompng(“b0.png”);
$color=imagecolorallocate($im, 0, 0, 0);
$px=(imagesx($im) – 8.5 * strlen($string)) / 2;
imagestring($im, 5, $px, 2, $string, $color);
imagepng($im);
imagedestroy($im);
?>

The code will get 2 inputs:
+ $string: string of 5 chars (ex: 68897) calculated from substr( md5($_GET['t1']),7,5)
+ $im: image background source from file b0.png b0.png

And use function imagestring to draw the string $string by in the image identified by $im with the upper-left corner at coordinates $px, 2 (top left is 0, 0) in color $color.
Then function imagepng($im) will Output a PNG image to the browser.
(Note: you must use header("Content-type: image/png") to inform the browser that the content is in image PNG format)
imagedestroy($im) is used to destroy the image $im and free memory associated with it.

After that, the rendered image will be display in index.php as below:
2
I use hidden input to pass the value $t1 to login.php to verify the input after submission as below:

// login.php
<?
$db=mysql_pconnect("localhost", "root", "root");
mysql_select_db("database",$db);

$un = $_POST[‘username’];
$pw = $_POST['password '];

// check security code first, then check username and password later….
if(strtolower(substr(md5($_POST['tc2']),7,5))==strtolower($_POST['tc'])){
$un=mysql_real_escape_string($un);
$vstring="SELECT * FROM list_users WHERE username='".$un."'";
$vresult=mysql_query($vstring) or die(mysql_error());
$vrow=mysql_fetch_array($vresult);

if(md5($pw)==$vrow['password']){

…….. // execute other code…..
}
}
?>

This is a very simple technique I use to prevent dictionary attacks and brute force attacks for login pages. You can modify and improve it as your need like:
+ Change the background image, texture color
+ Create more noise for the image to prevent text recognition
+ Change to more complex algorithm to generate the string…

To find out more complex techniques about CAPTCHA, you can visit the links below.

CAPTCHA home page
Breaking a Visual CAPTCHA
Visual and Audio CAPTCHA Generation Class (PhpCaptcha)
Toughen Forms' Security with an Image
Anti-spam techniques in PHP
freecap – PHP CAPTCHA script

6 Responses to “Prevent automated registrations technique in PHP with simple CAPTCHA”

  1. viarvebig said

    spam remover ad blocker spyware

  2. Intavagneve said

    Инструмент

  3. Bangui said

    Quality materials here on wordpress.com, dude. I actually
    like what you have obtained in this article, certainly like what you’re thinking and the way through which you assert it. You are making it entertaining and you still take care to ensure that it stays smart. I can not wait to study much more from you. A helpful blog undoubtedly.

  4. Hey there fantastic blog! Does running a blog
    similar to this take a lot of work? I’ve no knowledge of
    computer programming however I had been hoping to start my own blog in the near future.
    Anyway, should you have any ideas or techniques for new blog owners please share.

    I understand this is off subject nevertheless I simply needed to ask.

    Thanks!

  5. yeah! hey, natalie, this is abby. was trying 2 find ur webiste. didnt find it until now, so im leaving a comment. ttyl! bi, abby Click https://twitter.com/moooker1

  6. Mong bạn có nhiều kiến thức hay để
    chia sẽ cho cộng đồng in ấn Việt Nam nhé
    Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: