CAPCHA-T [Secured Messaging]++

CAPCHA-T

CAPCHA-T (pronounced as Capchat) is an idea which can be used to make messaging hard to eavesdrop. It is intended for sending and receiving private data which you do not want and 3rd person to be able to read or to eavesdrop. Also you do not want the chat / messaging history to be saved anywhere.

In order to achieve anything like that it seems the safest option is to have thick client to thick client chat where each client will itself be client and server on its own.

Like the name suggest, the idea comes from the way image capchas work on various websites which basically prevents BOTs or scripts from accessing services unless it is an actual human being. The capcha image is requested once and it is expired when it is already used once or it expires certain amount of time. The images are generated variously depending on how hard you want to make it for it to be read automatically.

I would now define a protocol by which we will achieve this idea.


CAPCHA-T Protocol

The following image illustrates how this can work,

As we can see from above, the way it works is, user 1 sending the message when they commits a message,

1. The message is first rendered at clients end as an image.
2. A key is assigned to the message at clients end which can be a hash tag or a randomly generated key with timestamp and the key is attached to the image, i.e. the image can be requested using the key. We also set flags for when the key expires etc.
3. The key is sent to the other end, user 2, instead of the message.

Now when the client at user 2 receives the message in form of the key, the client makes a request using the key to be rendered at their end. The user sees the message on their screen in form of an image rendered much like capchas or whatever the rendering function would do to render the text as image.

The protocol should also extend to point that their should be basically 3 functions implemented 1) Text to image renderer 2) Key generator and 3) Algorithms to send and receive these files in order to make it more secured if possible in the future.

The following are the good and bad sides of this approach

Pros

1. Hard to eavesdrop / tap, making it more secured.
2. Hard to find, as messages expires after one request, cannot be re-requested, if stored then only at the main senders end.

Cons

1. Heavy weight messages.
2. Thus slow.
3. un-searchable (search could be achieved by adding tags etc if used as emails, just thinking).   

How it might look when implemented

I am planning to come up with a PHP, HTML, JS based implementation soon.

Note : The above idea is intended only for 'exploring ideas' purpose. And we should keep in mind that with great powers should come great responsibilities :).

Ultimate security for Image Captcha - PHP (Apparently)

Download the latest version of PHP image captcha from here.

How it works

The following image illustrates how the new system works.

Fig 1. Flow Diagram

The client requests a key from server and the server returns a unique key. The server also generates random string and saves IP address and details of the client request in the database.

The client then would request again now by submitting the key the server returns an image which the client would set in the form.

After the user gives the input the client makes a 3rd request this time sending the user input and the key to the server. The server searches the database with the key and finds if captcha matches, if it matches then the server returns 1 else returns 0. In either case, the captcha cannot be used again and the client would need to do all the three steps again.

In this way, this captcha verification method is much safer and it also enables us to track the IP from which attack could be made. In the future we can also easily add function to block IPs.

The next step would be to make more complex and well packed images.

Usage (example)

Download and unzip the package which contains the following files:

1. Captcha.php - Main captcha class
2. check_captcha.php
3. get_key.php
4. get_captcha.php
5. database.php - Database class
6. test.php - Example file
7. framework.sql - DB script

after you have put your files in place and set up the db tables using the script, do the following from client side php:

//request a key from server
http://<yourhost>/get_key.php

//now using the key you can request and image captcha
<img src="http://<yourhost>/get_captcha.php?key=<key_from_request>">

//The form to submit data
<form action="check_captcha.php?key=<key_from_request>" method="post">
   <input type="text" name="captcha_string"/>
   <button type="submit">check</button>
</form>

//then process the response which is either 0 or 1

Credits

Thanks to Muntasir Azam Khan who was involved in thinking and pointing out about various problems the previous releases had and who helped test this Image Captcha code in one of his Code Dump (http://codedump.appspot.com/) sites beta versions.

Image captcha security update

The image captcha class we seen previously had a security issue when used by passing string (like <img src="captcha.php?&s=your_string" />) as it is easy to parse the html and find the value which is printed along with the tag.

It however had no problems if used from another php class. But if you wish to use the class from external Java, Perl, Python, Ruby or any other language and scripts then the image tag was the only option and was not secured.

Therefore, the new and updated captcha class uses browser cookie for storing the captcha and then for checking it.

Download the php classes from:

http://nasaralla.googlecode.com/files/captcha.zip

You will find the following files:

• Captcha.php - The main captcha class


• get_captcha.php - This file will be used to get the printed image


• check_captcha.php - This file will be used for form validation


• test.php - An example php on how it might be used.

now to print the image simply do in your form:
<img src="get_captcha.php" />

You can then validate user input by Ajax or direct form submission by posting to - check_captcha.php

Example form:

<form action="check_captcha.php" method="post">
<input type="text" name="captcha_string" />
<button type="submit">submit</button>
</form>

The file check_captcha.php responses in boolean 1 - true or 0 - false.

Database Updated Finally!

Hey Guys,

Finally I have added some nice database features which should give the class some meaning now, as previously it only ran your query (custom queries) and only did some simple validations for you.

Now it comes with some powerful mysql features and you can slowly try to build more OOP based design.

new!

You can now do the following most used features of mysql using this helper class:
1) Create Table
2) Insert data in table
3) Edit and update values
4) Remove items using a bit complex conditions
5) and last but not the least... Find!

Do the following before you attempt anything with these files:

Download database class: _here_

include("database.php");

$db = new DBConnect('host_name','database_name','user_name','password');
$con = $db->setDb();

Now to create table simply:

$db->createTable('contacts', array('name', 'address', 'phone', 'email'), array('varchar(30)', 'varchar(50)', 'varchar(12)', 'varchar(30)'), TRUE);

The function parameters are:
1) Table name - String
2) Field names - Array of String
3) Field types - Array of String
4) Overwrite - Boolean

The first three parameters are the obvious requirement for the mysql CREATE TABLE function. Make sure the number of 'Field names' and 'Field types' are equal. The final parameter is a boolean, if set true then it will overwrite any previous table with the same name. Set it to false for safety.

Now insert values to table!

$db->insert('contacts', array('name','address','phone','email'), array('Anas Nasarullah','Uttara Dhaka Bangladesh','9181819','anasrlh@hotmail.com'));

The parameters here are simple to tell. All of which is required by Mysql for INSERT function.

The function parameters are:
1) Table name - String
2) Field names - Array of String
3) Field values - Array of String

Now time to do some editing to the values!

$db->edit('contacts', 'email', 'anasarulh@hotmail.com', 'email', 'anasrlh@hotmail.com');

This function should have more functionalities to handle complex conditions. For the time being it only finds the value of the given field and value and changes that value.

The function parameters are:
1) Table name - String
2) Edit field name - String
3) New value - String
4) Find field name - String
5) Find value - String

Now we will remove an element from table

$db->remove('contacts', array('email', 'name'), array('anasarulh@hotmail.com', 'Anas Nasarullah'), 'or');

This function has powerful conditioning among all the functions we discussed till now. You can give a set of fields which should have a set of values and can tell if they will have 'and' or 'or' condition to choose the correct field. Even though the disadvantage is that all the conditions will be 'and-ed' or 'or-ed' but cannot be a mixture more complex possible conditions.

The function parameters are:
1) Table name - String
2) Find field names - Array of Strings
3) Find values - Array of Strings
4) Operator - String ('and' / 'or')

Finally its time to Find!

It is a very basic and simple find function as follows:

$db->find('contacts', 'name', 'Anas', 0);

The function can only for now take table name, the field to look for and the value to look for. The final flag parameter is boolean and it means that the value we search for, whether it is an exact search or we match with all values containing value string.

Flag = 1 means find with exact value.
Flag = 0 means find with string containing the value.

The function parameters are:
1) Table name - String
2) Find field name - String
3) Find value - String
4) Flag - Boolean (0 / 1)

Thats all folks!

Image Captcha updated

I have recently added a feature in the image captcha class, which is simple to be able to generate a random string and pass it on to captcha class. The class will then create the captcha image which could be used for human verification. This feature makes it easier to use the captcha class from external files.

the file could be downloaded from http://nasaralla.googlecode.com/files/captcha.php

and the simple to use instructions are as follows:

//create a random string
$md5 = md5(microtime() * mktime());
$captcha_str = substr($md5,0,8);
//then simply include the captcha file
include('captcha.php');
$captcha = new Captcha();
$_get['s'] = $captcha_str;
$captcha->printGivenString();

The above example will print the image on whole page. To add it in a part of you page simple add this bit of the code in a php file:

include('captcha.php');
$captcha = new Captcha();
$captcha->printGivenString();

and supposed you name the file as image_captcha.php

now simply from you html or form do
<img src = "<any base path>/image_captcha.php?s=yourString" />

Tabulation updated

We have slightly upgraded the tabulation function but the function is both important and comes very handy these days, in most e-commerce sites which gives user the control over they wish to see the results sort their prices etc.

So our new tabulation with pagination now has the sort function where you simply need to state which row needs to be sorted and in what order, i.e. Ascending or descending order.

The tabulation class can be downloaded from here:

http://nasaralla.googlecode.com/files/tabulation.php

and how to use the class is defined in this post:

http://phphelperfunctions.blogspot.com/2010/01/simple-php-tabulation-helper-class.html

You only need to call the following function in order to call a page in a required sorted order.

_______________________________________________________

Example:

$results = $tab->getResultSorted(3, 'Hotel', 'DESC');

where the signature is

getResultSorted($page_number, $row_name, $sort_order);

for ascending order simply keep the order blank (default order)
_______________________________________________________

Simple shopping cart class using php

Hello,

My cart class manages the shopping cart facility which almost every e-commerce site requires these days. This class does not do checkout with paypal, google check out or with any such similar services. But you can very easily manage the items being put into and taken away from the cart.

you can download the file from here:
http://nasaralla.googlecode.com/files/shopping_cart.php

And like in the following example can start managing your items:

___________________________________________________
//include the file
include("shopping_cart.php");
//start a session
session_start();
//initialize session variables
$_SESSION["item_list"] = array();
$_SESSION["item_total"] = 0;
//creating some items
$itm1 = new item("1","T-shirt","clothing","fcuk", "10.00", "cotton t-shirt", "image_url_not_available");
$itm2 = new item("2","Trouser","clothing","fcuk", "15.00", "Khaki trouser", "image_url_not_available");
$itm3 = new item("3","Cap","clothing","Next", "5.00", "all size cap", "image_url_not_available");
$itm4 = new item("4","jacket","formal","Austin reed", "100.00", "bond casino royal style", "image_url_not_available");
$itm5 = new item("5","Shoes","formal","Aldo", "50.00", "black naughty boy", "image_url_not_available");

//create your cart
$cart = new shopping_cart();

//add items to your cart
$cart->add_to_cart($itm1);
$cart->add_to_cart($itm2);
$cart->add_to_cart($itm3);
$cart->add_to_cart($itm4);
$cart->add_to_cart($itm5);

//print xml based status of the cart
$cart->print_cart_status();

//remove item in 3rd position (4th item)
$cart->remove_element(3);

//print xml based status of the cart
$cart->print_cart_status();
//end session
session_destroy();
___________________________________________________

And the xml output is like the following:
___________________________________________________


___________________________________________________