Prevent automated registrations technique in PHP with simple CAPTCHA
Posted by LE MINH DUC on April 29, 2006
CAPTCHA is an acronym for "Completely Automated Public Turing Test to Tell Computers and Humans Apart". As the name suggests, it's a test to distinguish the degree of being human. You can read more about CAPTCHAs at Wikipedia or CAPTCHA site.Some of the Applications:
– Online polls: the poll requires that only humans can vote.
– Free email services: stop "bots" that sign up for thousands of email accounts every minute.
– Search engine bots – CAPTCHA image guarantee that bots won't enter a web site
– solution against email worms and spam: an email is accepted only if I know there is a human behind the other computer
– preventing dictionary attacks and brute force attacks for login pages.
In this post, I will share a simple technique to create CAPTCHA which I used in some of my first PHP projects. In the login page, as you can see, there is a random texture code rendered in image. The user has to key in correct username, password and also this code to login. In this example, the code (ex: 68897) will be changed when user refreshes the page.
Here is the HTML code to create the form: (index.php)
<form action="login.php" method="post">
<table width="300" cellpadding="5" cellspacing="0" border="0">
<td bgcolor="white"><div class="txt">Username</div></td>
<td bgcolor="white"><input type="text" size="30" maxlength="18" class="txt" name="username"></td>
<td bgcolor="white"><div class="txt">Password</div></td>
<td bgcolor="white"><input type="password" size="30" maxlength="18" class="txt" name="password"></td>
// Create Random number for security check
printf('<img src="index_button.php?t1=%s"><input type="hidden" value="%s" name="tc2">',$t1,$t1);
<td bgcolor="white"><input type="text" size="30" maxlength="8" class="txt" name="tc"></td>
<td bgcolor="white"> </td>
<td bgcolor="white"><input type="submit" size="30" class="txt" value="launch"></td>
In this example, the code is calculated by the function: sha1(time().rand(1,999)). This function gets the sha1 hash of the product of a random number (from 1 to 999) and the current timestamp.
Then, the code is passed to index_button.php to generate CAPTCHA image:
$string=substr(md5($_GET['t1']),7,5); // return string of 5 digits
$color=imagecolorallocate($im, 0, 0, 0);
$px=(imagesx($im) – 8.5 * strlen($string)) / 2;
imagestring($im, 5, $px, 2, $string, $color);
And use function imagestring to draw the string $string by in the image identified by $im with the upper-left corner at coordinates $px, 2 (top left is 0, 0) in color $color.
Then function imagepng($im) will Output a PNG image to the browser.
(Note: you must use header("Content-type: image/png") to inform the browser that the content is in image PNG format)
imagedestroy($im) is used to destroy the image $im and free memory associated with it.
After that, the rendered image will be display in index.php as below:
I use hidden input to pass the value $t1 to login.php to verify the input after submission as below:
$db=mysql_pconnect("localhost", "root", "root");
$un = $_POST[‘username’];
// check security code first, then check username and password later….
…….. // execute other code…..
This is a very simple technique I use to prevent dictionary attacks and brute force attacks for login pages. You can modify and improve it as your need like:
+ Change the background image, texture color
+ Create more noise for the image to prevent text recognition
+ Change to more complex algorithm to generate the string…
To find out more complex techniques about CAPTCHA, you can visit the links below.
This entry was posted on April 29, 2006 at 8:52 pm and is filed under IT related. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.