Damn, I guess we should discuss the article and not whether to use it or not!!!!
Good article, I use the same way, I evenw as gonna write an article about that, but had not time.
| SitePoint Sponsor |
Damn, I guess we should discuss the article and not whether to use it or not!!!!
Good article, I use the same way, I evenw as gonna write an article about that, but had not time.
CAPTCHAs are bad for accessibility!!!
[q]CAPTCHAs are bad for accessibility!!![/q]
True but the reason you have a login section or registration is to keep a part of your website private.. == less accessable..
Good article, although agreed that it's bad for accessibility.
There are some things that could be improve in the implementation of the class though.
1. Testing the existance of the GD librairy in Create() function is a bit too late as we call GD functions in constructor already
2. I recommend generating PNG images instead of GIFs as GIF format is not free and therefore rarely supported by hosting companies
1st: choosing only from the five very similar standard fonts is poor and the code is probably readable by a character reader.
2nd: whats about the usability by sight-handycaped site users?
I've found the feedback to my article very interesting.
I agree with the accessibility points which I was of course aware of before posting the article. The aim was to provide an example of how one might structure and develop such a CAPTCHA system, not necessarily to provide an all singing, all dancing solution. In many areas the example was simplified to make it possible for as many people to try it out as possible without running into problems caused by complex dependencies. I choose to use built in fonts for exactly this reason.
I'll be posting a more complex example on my web site in due course which makes use of TrueType fonts, a better background noise system and provides an answer to the accessibility issues for those that are interested.
Nice tutorial. I agree with some of the comments pointing out some shortcomings but the article was useful nonetheless. There needs to be more tutorials for beginners.
I study speed waiting. I can wait an entire hour in 10 minutes.
Yeh, you just add 10 to it...Originally Posted by someonewhois
I swear to drunk I'm not God.
» Matt's debating is not a crime «
Hint: Don't buy a stupid dwarf ö Clicky
How about using my own image as a background?
I've updated the code for this class to reflect some of the comments I received. It now supports TrueType fonts with random character rotation, optional character shadows, better background noise and has support for background images.
I'm still looking into the accessibility options but will post here when I have a solution.
You can view some samples and download the code here: http://www.ejeliot.com/articles.php
Really this will help to improve the login security
by Loganathan N from Bosco ITS, Yellagiri Hills
Actually that is not true. They can provide a very effective extra layer against brute force when used in conjunction with a user login system.
Location: Alicante (Spain)... Hot and Sunny...
Texas Holdem Poker Probability Calculator | DNS test
Avatars | English Spanish Translation | CAPTCHA with audio
Email | PHP scripts | Cruft free domain names | MD5 Cracker
Yeah that's a brilliant idea. Why has no one implemented that???
You mean write the number of the digit in the alt tag? Genius!Yeah that's a brilliant idea. Why has no one implemented that???
I swear to drunk I'm not God.
» Matt's debating is not a crime «
Hint: Don't buy a stupid dwarf ö Clicky
very nice
Well, this is fine. . . but it does nothing to stop email injection attackes (form hijacking) and is devastating for accessibility.
I guess the real question is, why do so many websites use this and consider it a "security" item?
My $.02 worth.
Larry
Because they are! I used to think they weren't a security feature, but it really depends on the type of attack. They are certainly a security feature when it comes to brute force.
Location: Alicante (Spain)... Hot and Sunny...
Texas Holdem Poker Probability Calculator | DNS test
Avatars | English Spanish Translation | CAPTCHA with audio
Email | PHP scripts | Cruft free domain names | MD5 Cracker
This is great, but like Larry said what about accessibility? Without an audio alternative, your locking out a load of people.
Perhaps an article or two on working with audio for improved web accessibility?
duh! didn't see all the other posts before posting the last post..
Surely writing the text in the alt tag would make the whole exercise completely pointless?
I like the method presented but the text is way too small. I'll have to fiddle with it.
-drmike
Big big ommission here unless I'm missing something. I implemented this almost as is, but the condition used to check if the correct code was entered doesn't check if a code was ever created!
The whole point of image verification is to stop bots. However, bots were getting around my script using this image verification simply by entering no value in the verification field. Since they don't pick up sessions anyway, the empty "code" in $_POST is equal to the empty "code" in $_SESSION, so their input was accepted!
I added a check that the variable existed in $_SESSION and had a value.
Hi Dan,
Thanks for pointing the problem out. I've contacted SitePoint with a fix and asked them if they'll update the article. In the meantime I suggest that anyone that wants to use this code replace the line which checks the code with the following:
if (!empty($_SESSION['code']) && strtoupper($_POST['code']) == $_SESSION['code']) {
Hope this helps.
Regards,
Ed
Is there any way to increase the text size? I have it working but the text will be awfully hard to read for some people.
Ed,
You also need to unset the code from the session after a successful verification. If you don't, a human can type in one verification image value and then set their bot loose to submit an unlimited number of forms an unlimited number of times on that website using the same security image script. Once the code is known, the check will always pass, as a bot won't request a new security image before posting again. I've experienced it personally.
Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
Hello firends
What do you think about using IP or Cookie in order top prevent spam?
GOOD LUCK!
I shall build a boat,I shall cast it in the water,
I shall sail away from this strange earth,
Where no one awaken the heroes in the wood of love
Posting Permissions
Bookmarks