Title: Securing Web Forms with Simple PHP-CAPTCHA,
Required: GD lib,
Enclosed: source file,
Author: G.Sujith Kumar.

CAPTCHA an acronym for “completely automated public Turing test to tell computers and humans apart ". CAPTCHA technology enables you to discern human requests from computer generated requests on the Web, where such a distinction is difficult. Simply defined "Man can read machine can’t!�

In web available forms are always prone to attack by people who want to use your application for their own purposes. Many web sites use the CAPTCHA especially used to prevent bots from using various types of computing services.

The applications include preventing bots from taking part in online polls, registering for free email accounts, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered [implemented in Yahoo]. They have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites.

You have probably seen the CAPTCHA project in action at some of your Web destinations. Its principal tool is a randomly created image that contains a phrase unmentioned in computer-readable text on the rendered page. The form asks the user to provide the phrase. If the form post does not contain the correct phrase, you can safely assume either the human made a user error, or it wasn't a human at all.

By : sujithfem

Now it's time to put this code to work. A simple and often-used interface to implement this new security measure is the form on website. In this form you typically capture random number.

<code>
<form name="form1" method="post" action="form.php" ">
<table width="342" align="center" cellspacing="0" bgcolor="#D4D0C8">
<tr> <td align="center"><img src="php_captcha.php"></td><td align="center"> Please enter the string shown in the image in the form.<br></td><td align="center"><input name="number" type="text"></td><td><input name="Submit" type="submit" value="Submit"></td> </tr></table></form>
</code>

The following code use to create random numbers and this number are embedding with existing image file, the first line used to initiate session, which use to carry the user inputs.

<code>
<?php
session_start();
$RandomStr = md5(microtime());
$ResultStr = substr($RandomStr,0,5);
$NewImage =imagecreatefromjpeg("img.jpg");
?>
</code>
The second line [md5 (microtime ())] use to generate the random string, and the resultant string is trim by using third line [substr], which returns the portion of string specified by the start and length parameters.
The function imagecreatefromjpeg ("img.jpg") is use to create a image by existing image file and as back ground ,so that you need to give an image file path.

<code>
<?php
$LineColor = imagecolorallocate($NewImage,233,239,239);
$TextColor = imagecolorallocate($NewImage, 255, 255, 255);
imageline($NewImage,1,1,40,40,$LineColor);
imageline($NewImage,1,100,60,0,$LineColor);
imagestring($NewImage, 5, 20, 10, $ResultStr, $TextColor);
?>
</code>

After creation of back ground image, we generate some linear line, which is use to avoid the phrasing from random numbers, the respective lines are create by the function named imageline () and imagestring () use to draw a random string horizontally.

<code>
<?php
$_SESSION['key'] = $ResultStr;
?>
</code>

The resultant random number [trimmed one], carry through session especially for validation purpose.

<code>
<?php
header("Content-type: image/jpeg");
imagejpeg($NewImage);
?>
</code>

Finally above two functions are uses to display/out put the image to browser. So we can just call the particular file by through image source path, it will display the final image.

<code>
<?php
if(isset($_REQUEST['Submit'])){
$key=substr($_SESSION['key'],0,5);
$number = $_REQUEST['number'];
if($number!=$key){
echo ' Validation string not valid! Please try again!';}
else{
echo ' Your string is valid!';}
}
?></code>

I hope you know about the above code functionality, it’s about validating the user in put and actual random number, depends upon the application you may use the if and else conditions, that’s all

Conclusion
CAPTCHA can be a great way to limit the amount of successful, unwanted HTTP POST requests in your application, CAPTCHAs are by definition fully automated, requiring little human maintenance or intervention in administering the test. This has obvious benefits in cost and reliability; I hope the simple code is useful to understand the concept. Happy CAPTCHA-ing!

Click to Download File

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

More GUI Code Articles
More By Codewalkers

 

developerWorks - FREE Tools!

Be the first to hear about i5/OS V6R1! Hold your calendar on January 30, 2008 for this free webcast on the new i5/OS. Rational's Enterprise Modernization products will be discussed at this webcast as they help to drive the application development environment for this new System i OS. <br />And learn how i5/OS will take you to the next step of efficient, resilient business processing. You will hear about the new i5/OS capabilities as it will be the most significant i5/OS release in years. If you cannot join the webcast on 1/30/08 you can still use this link to listen to the replay.<br /> FREE! Go There Now!

IBM – Taking Web 2.0 to Work You'll get answers to many questions and more from David Barnes, Lead Evangelist for IBM Emerging Internet Technologies. David will discuss aspects of Web 2.0 that bring value to corporations, academia, and government. He'll also discuss IBM's vision around Web 2.0, including the importance of remixability and consumability. The discussion will culminate with examples of various IBM Software Group solutions you can use to get ahead of the Web 2.0 adoption curve. FREE! Go There Now!

NEW! A Layered approach to delivering security-rich Web applications As businesses grow increasingly dependent upon Web applications to provide services to customers, employees and partners, these complex applications become more difficult to secure. Although traditional security solutions protect Internet infrastructure layers, they do not guard against HTTP and HTML attacks. Many organizations that conduct security testing still deploy applications that allow attackers to manipulate their logic and wreak havoc on their business. To mitigate this risk, development and delivery teams must address Web application security throughout the lifecycle, addressing the many layers detailed in this paper. FREE! Go There Now!

NEW! Don't wait! Try the Rational Application Developer (RAD) v7.5 open beta code today Download the Rational Application Developer (RAD) v7.5 open beta code and start developing applications for the JEE5 standard which features EJB3.0, JPA, JSF 1.2, JSP 2.1 and Servlet 2.5 standards. When you use this beta you will see how you can increase developer productivity for already existing applications with improved support for refactoring, as well as adding new features to existing applications. In addition, the beta provides tooling for JD Edwards, Oracle, SAP, Siebel and PeopleSoft to improve the developer productivity with these enterprise systems. FREE! Go There Now!

NEW! Download DB2 9.5 for Linux, Unix, and Windows Download a free trial version of IBM DB2 9.5 for Linux, UNIX, and Windows. DB2 9 is the result of a five-year development project that transformed traditional (static) database technology into an interactive data server that merges the high performance and ease of use of DB2 with the self-describing benefits of XML. FREE! Go There Now!

NEW! Download the free Web Application Security eKit Discover how IBM Rational AppScan Standard Edition can help you detext vulnerabilities in your web applications in the Web Application Security eKit. IBM Rational AppScan is a leading suite of automated web application security solutions that scan and test for common Web application vulnerabilities. The new Web Application Security eKit provides you with valuable resources, including white papers, demos, and additional information on the benefits of testing your Web applications. FREE! Go There Now!

NEW! Evaluate IBM Rational Software Analyzer V7.0 Download a free trial version of IBM Rational Software Analyzer Developer Edition V7.0 to identify bug defects earlier in the software development cycle. Rational Software Analyzer is an extensible software development solution that reduces the expense of bug-fixes by enabling static analysis code reviews and bug identification very early in the development cycle. FREE! Go There Now!

NEW! Try the IBM SOA Sandbox for Connectivity Visit IBM developerWorks to try the IBM SOA Sandbox for connectivity. The SOA Sandbox for connectivity provides a trial environment with the tooling and components to help you explore how to effectively connect your infrastructure and integrate all of the people, processes and information in your company. Use the hosted sandbox to explore SOA techniques that streamline connecting existing IT assets together, as well as learn how to connect them to new business logic. FREE! Go There Now!

NEW! Using Rational Business Developer to enhance your developer productivity Join this Rational Talks to You teleconference, to hear how Enterprise Generation Language (EGL) eliminates the need for tedious and error-prone low level coding, so developers can focus on business requirements. EGL extends the Rational software development platform with a simplified programming language that enables developers who have little or no experience with Java, Web technologies or Service Oriented Architecture, to create enterprise-class applications and services quickly and easily. It also allows developers who may have little or no mainframe programming experience to quickly create traditional mainframe components. FREE! Go There Now!

NEW! Webcast: IBM Rational Build Forge - Beyond the Build The discipline of assembling and delivering software is maturing beyond standard developer-centric compile/test software builds. The end-to-end software development lifecycle is emerging as the new focus moves “Beyond the Build.” Join this on demand webcast to learn about methods for streamlining software delivery and key capabilities of the IBM Rational Build Forge framework for automating build and release management in environments of any size. FREE! Go There Now!

All FREE IBM® developerWorks Tools!