homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Gold Sponsor 2015!
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

confirmation codes for forms

5+ Year Member

Msg#: 3242494 posted 8:33 pm on Feb 4, 2007 (gmt 0)

I know you get CAPTCHA images for forms, to tell humans and bots apart.

But the question that I have is whether or not this has to be an image?

The method that I am using at the moment (my site is not yet live), is this:
- I create a random number between 1 and 10000
- I then md5 this number to create a random md5 hash
- I then pull out 6 characters from round about the middle of the hash
- I convert these 6 characters to uppercase, and display them; providing an input box in which the user can enter the code.

Obviously, after that, if the code is correct, the form executes. If not, it displays an error message.

I cannot see much wrong with this method. But then again, I am not that experienced in PHP. If someone could verify whether this would work, I would really appreciate it.




WebmasterWorld Senior Member 10+ Year Member

Msg#: 3242494 posted 9:42 pm on Feb 4, 2007 (gmt 0)

The problem is that a bot could very easily read the characters, if they're in plain text, and then put them into the form and submit it. But, the bot would have to be specifically written to handle your site. So it would foil most spam attempts, which are probably not aimed specifically at you, but rather all sites with a form.

You could achieve the same effect by just having an input field where you say "Type Yes in this box".


5+ Year Member

Msg#: 3242494 posted 9:44 pm on Feb 4, 2007 (gmt 0)

It would be easy to write a program that would grab the characters you display.

The reason people use an image is that it is much harder for the computer to understand.

Depending on your site, it might not be a big issue. Someone would probably have to write a script specifically for your site. The best way to do this is to use an image.

[edited by: coopster at 1:14 am (utc) on Feb. 5, 2007]
[edit reason] removed url [/edit]


5+ Year Member

Msg#: 3242494 posted 7:16 am on Feb 5, 2007 (gmt 0)

Thanks for the help.

I really appreciate it.

It's only an attempt to stop email spam. I'd rather not have random emails advertising viagra popping up in my inbox :D

considering the form's uses, it doesn't really warrant the time spent on higher levels of security. I've got other areas of hte site that will need more attention.

Once again, thanks for the help!


5+ Year Member

Msg#: 3242494 posted 7:49 pm on Feb 5, 2007 (gmt 0)

Just on a side note, its better if you just create a random 6 letter word and set it in a session, and then make the captcha image read from that session. That way you dont need to send it any strings on the contact page, and have even less chance of getting spam (assuming the image is complicated enough). I say this because I had a similar scenario whereby it would generate a random md5 hash and send it like this:

<img src="catcha.php?code=1f3870be274f6c49b3e31a0c6728957f">

And then the captcha.php would simply display the last 6 digits (28957f). But someone figured this out and I got a load of spam as a result, so just a suggestion for you ;-)


5+ Year Member

Msg#: 3242494 posted 2:54 pm on Feb 6, 2007 (gmt 0)

Thats what I've done.

I don't like having PHP variables visible in the URL. So I decided to store the code in a session variable.

Tidy URLs. Slightly harder for the spammer :)


10+ Year Member

Msg#: 3242494 posted 4:36 pm on Feb 6, 2007 (gmt 0)

Here's what I do that seems to work quite well:

I ask the person submitting to "Please enter this random value (to prevent spamming)" into <input type="text" name="random" size="20">

This function generates a random number that I display to be copied:

function generateRandomPassword ($pwlength = 5)
// start with a blank password
$randompassword = "";
// define possible characters
$possible = "bcdfghjkmnpqrstvwxyz123456789";
// set up a counter
$i = 0;
// add random characters to $password until $pwlength is reached
while ($i < $pwlength)
// pick a random character from the possible ones
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
// we don't want this character if it's already in the password
if (!strstr($randompassword, $char))
$randompassword .= $char;
$_SESSION['random'] = $randompassword;
return $randompassword;

Notice that the random value is also entered into a session variable.

$matchvalue = $_SESSION['random'];
$_SESSION['random'] = '';
$random = $_POST['random'];
if ( ($random) && ($matchvalue == $random) )
{ // add to guestbook code here }

HTH, Jenny


5+ Year Member

Msg#: 3242494 posted 2:55 pm on Feb 8, 2007 (gmt 0)

Awesome stuff! Thanks sooooo much for the detailed reply!

I really appreciate.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved