Saturday, 28 August 2010

Image captcha security update

The image captcha class we seen previously had a security issue when used by passing string (like <img src="captcha.php?&s=your_string" />) as it is easy to parse the html and find the value which is printed along with the tag.

It however had no problems if used from another php class. But if you wish to use the class from external Java, Perl, Python, Ruby or any other language and scripts then the image tag was the only option and was not secured.

Therefore, the new and updated captcha class uses browser cookie for storing the captcha and then for checking it.

Download the php classes from:

You will find the following files:

  • Captcha.php - The main captcha class

  • get_captcha.php - This file will be used to get the printed image

  • check_captcha.php - This file will be used for form validation

  • test.php - An example php on how it might be used.

now to print the image simply do in your form:
<img src="get_captcha.php" />

You can then validate user input by Ajax or direct form submission by posting to - check_captcha.php

Example form:

<form action="check_captcha.php" method="post">
<input type="text" name="captcha_string" />
<button type="submit">submit</button>

The file check_captcha.php responses in boolean 1 - true or 0 - false.

1 comment: