The problem is that a bot could very easily read the characters, if they're in plain text, and then put them into the form and submit it. But, the bot would have to be specifically written to handle your site. So it would foil most spam attempts, which are probably not aimed specifically at you, but rather all sites with a form.

You could achieve the same effect by just having an input field where you say "Type Yes in this box".

It would be easy to write a program that would grab the characters you display.

The reason people use an image is that it is much harder for the computer to understand.

Depending on your site, it might not be a big issue. Someone would probably have to write a script specifically for your site. The best way to do this is to use an image.

[edited by: coopster at 1:14 am (utc) on Feb. 5, 2007]
[edit reason] removed url [/edit]

Thanks for the help.

I really appreciate it.

It's only an attempt to stop email spam. I'd rather not have random emails advertising viagra popping up in my inbox :D

considering the form's uses, it doesn't really warrant the time spent on higher levels of security. I've got other areas of hte site that will need more attention.

Once again, thanks for the help!

Just on a side note, its better if you just create a random 6 letter word and set it in a session, and then make the captcha image read from that session. That way you dont need to send it any strings on the contact page, and have even less chance of getting spam (assuming the image is complicated enough). I say this because I had a similar scenario whereby it would generate a random md5 hash and send it like this:

<img src="catcha.php?code=1f3870be274f6c49b3e31a0c6728957f">

And then the captcha.php would simply display the last 6 digits (28957f). But someone figured this out and I got a load of spam as a result, so just a suggestion for you ;-)

Thats what I've done.

I don't like having PHP variables visible in the URL. So I decided to store the code in a session variable.

Tidy URLs. Slightly harder for the spammer :)

Here's what I do that seems to work quite well:

I ask the person submitting to "Please enter this random value (to prevent spamming)" into <input type="text" name="random" size="20">

This function generates a random number that I display to be copied:

function generateRandomPassword ($pwlength = 5) 
{ 
 // start with a blank password 
 $randompassword = ""; 
 // define possible characters 
 $possible = "bcdfghjkmnpqrstvwxyz123456789";  
 // set up a counter 
 $i = 0;  
 // add random characters to $password until $pwlength is reached 
 while ($i < $pwlength)  
 {  
 // pick a random character from the possible ones 
 $char = substr($possible, mt_rand(0, strlen($possible)-1), 1); 
 // we don't want this character if it's already in the password 
 if (!strstr($randompassword, $char))  
 {  
 $randompassword .= $char; 
 $i++; 
 } 
 } 
 $_SESSION['random'] = $randompassword; 
 return $randompassword; 
} 

Notice that the random value is also entered into a session variable.

$matchvalue = $_SESSION['random']; 
$_SESSION['random'] = ''; 
$random = $_POST['random']; 
if ( ($random) && ($matchvalue == $random) ) 
{ // add to guestbook code here } 

HTH, Jenny

Awesome stuff! Thanks sooooo much for the detailed reply!

I really appreciate.