PHP Captcha development questions...

[RCD24]

Is it futile to make a captcha using php if i'm not going to utilize GD or imagemagick or some other server-side image processor to hide the captcha and give noise around it?


and how would one make a relatively safe and bot-free method of confirming a human is posting something?

Can I make any sort of legit captcha without sessions?

[crmalibu]

Even something as simple as telling them to enter the number 5 into a text box is extremely effective against a bot which has not been set up to specifically defeat your touring test. Most bots just crawl the net and try to post stuff, without any intelligence or assistance from a human. Such a simple test will still completely stop these.

But...if someone feels that your website is valuable enough for them to spend some time specifically tuning thier bot(or writing one from scratch) to defeat your test, they're going to obviously have a very easy time with the simple captcha. Decoding a strong image is not so simple to automate, even with the assistance of a human tuning it, although image reading programs are starting to become pretty good at it. Adding noise to the image makes it more difficult for a program to read.

So basically what I'm trying to say is that the desirability of posting to your website will determine how difficult you need to make it for them to automate. Making it more difficult will discourage people from making a focus of your site due to the increased time and effort required of them to make it happen.

[sk89q]

If you want to make your own difficult CAPTCHA image, make sure the outlines of the text, from your point of view, are not easily discernible from the rest of the background. Adding random noise won't cut it. Even if the noise is a random distribution of discrete white/black pixels, the text will be a solid color, and just thinking about it makes it obvious that writing a program to discern the solid parts of the image would be easy (if even if you don't know how to do it yourself).

When you design your CAPTCHA, think about the question: if I threw this image into a graphics editor, would it be possible to break down the image and isolate the actual characters? If you go through a lot of custom-designed CAPTCHA images, you will find many of them failing this test.

Although in theory, you most likely do not need a difficult text-based captcha, because they are generally harder to read for humans too.

[Divisive Cotton]

Do you have an example sk89q of how a good captcha image would look?

[sk89q]

Well, I suppose the Microsoft, Yahoo, Google ones are good examples. They rely on deformed shapes moreso though. Unfortunately, they have been broken on several occasions (though not with > 80% accuracy, I don't think), but there are also hundreds of people trying to break those.

I think http://recaptcha.net/ is your best option. You won't need to fear about breaking CAPTCHAs with your site, so bothering with some complex CAPTCHA isn't really needed.

[RCD24]

I think http://recaptcha.net/ is your best option. You won't need to fear about breaking CAPTCHAs with your site, so bothering with some complex CAPTCHA isn't really needed.

I've seen those before on random websites, but I didn't know it was a service webmasters could utilize. that's cool. I implemented a "securimage" PHP+GD captcha method for one of my clients, it uses gd to make letters (in a non standard font, which may be key to a good solid start) and uses random noise in the same color as the letters here and there which sometimes deform the letters. but anyhow, I understand what you mean and agree with most points.