Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

confirmation codes for forms

8:33 pm on Feb 4, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 29, 2005
votes: 0

I know you get CAPTCHA images for forms, to tell humans and bots apart.

But the question that I have is whether or not this has to be an image?

The method that I am using at the moment (my site is not yet live), is this:
- I create a random number between 1 and 10000
- I then md5 this number to create a random md5 hash
- I then pull out 6 characters from round about the middle of the hash
- I convert these 6 characters to uppercase, and display them; providing an input box in which the user can enter the code.

Obviously, after that, if the code is correct, the form executes. If not, it displays an error message.

I cannot see much wrong with this method. But then again, I am not that experienced in PHP. If someone could verify whether this would work, I would really appreciate it.


9:42 pm on Feb 4, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 31, 2003
votes: 0

The problem is that a bot could very easily read the characters, if they're in plain text, and then put them into the form and submit it. But, the bot would have to be specifically written to handle your site. So it would foil most spam attempts, which are probably not aimed specifically at you, but rather all sites with a form.

You could achieve the same effect by just having an input field where you say "Type Yes in this box".

9:44 pm on Feb 4, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 27, 2006
votes: 0

It would be easy to write a program that would grab the characters you display.

The reason people use an image is that it is much harder for the computer to understand.

Depending on your site, it might not be a big issue. Someone would probably have to write a script specifically for your site. The best way to do this is to use an image.

[edited by: coopster at 1:14 am (utc) on Feb. 5, 2007]
[edit reason] removed url [/edit]

7:16 am on Feb 5, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 29, 2005
votes: 0

Thanks for the help.

I really appreciate it.

It's only an attempt to stop email spam. I'd rather not have random emails advertising viagra popping up in my inbox :D

considering the form's uses, it doesn't really warrant the time spent on higher levels of security. I've got other areas of hte site that will need more attention.

Once again, thanks for the help!

7:49 pm on Feb 5, 2007 (gmt 0)

Full Member

10+ Year Member

joined:Aug 9, 2005
votes: 0

Just on a side note, its better if you just create a random 6 letter word and set it in a session, and then make the captcha image read from that session. That way you dont need to send it any strings on the contact page, and have even less chance of getting spam (assuming the image is complicated enough). I say this because I had a similar scenario whereby it would generate a random md5 hash and send it like this:

<img src="catcha.php?code=1f3870be274f6c49b3e31a0c6728957f">

And then the captcha.php would simply display the last 6 digits (28957f). But someone figured this out and I got a load of spam as a result, so just a suggestion for you ;-)

2:54 pm on Feb 6, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 29, 2005
votes: 0

Thats what I've done.

I don't like having PHP variables visible in the URL. So I decided to store the code in a session variable.

Tidy URLs. Slightly harder for the spammer :)

4:36 pm on Feb 6, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 13, 2005
votes: 0

Here's what I do that seems to work quite well:

I ask the person submitting to "Please enter this random value (to prevent spamming)" into <input type="text" name="random" size="20">

This function generates a random number that I display to be copied:

function generateRandomPassword ($pwlength = 5)
// start with a blank password
$randompassword = "";
// define possible characters
$possible = "bcdfghjkmnpqrstvwxyz123456789";
// set up a counter
$i = 0;
// add random characters to $password until $pwlength is reached
while ($i < $pwlength)
// pick a random character from the possible ones
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
// we don't want this character if it's already in the password
if (!strstr($randompassword, $char))
$randompassword .= $char;
$_SESSION['random'] = $randompassword;
return $randompassword;

Notice that the random value is also entered into a session variable.

$matchvalue = $_SESSION['random'];
$_SESSION['random'] = '';
$random = $_POST['random'];
if ( ($random) && ($matchvalue == $random) )
{ // add to guestbook code here }

HTH, Jenny

2:55 pm on Feb 8, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 29, 2005
votes: 0

Awesome stuff! Thanks sooooo much for the detailed reply!

I really appreciate.


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members