Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

confirmation codes for forms



8:33 pm on Feb 4, 2007 (gmt 0)

5+ Year Member

I know you get CAPTCHA images for forms, to tell humans and bots apart.

But the question that I have is whether or not this has to be an image?

The method that I am using at the moment (my site is not yet live), is this:
- I create a random number between 1 and 10000
- I then md5 this number to create a random md5 hash
- I then pull out 6 characters from round about the middle of the hash
- I convert these 6 characters to uppercase, and display them; providing an input box in which the user can enter the code.

Obviously, after that, if the code is correct, the form executes. If not, it displays an error message.

I cannot see much wrong with this method. But then again, I am not that experienced in PHP. If someone could verify whether this would work, I would really appreciate it.



9:42 pm on Feb 4, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

The problem is that a bot could very easily read the characters, if they're in plain text, and then put them into the form and submit it. But, the bot would have to be specifically written to handle your site. So it would foil most spam attempts, which are probably not aimed specifically at you, but rather all sites with a form.

You could achieve the same effect by just having an input field where you say "Type Yes in this box".


9:44 pm on Feb 4, 2007 (gmt 0)

5+ Year Member

It would be easy to write a program that would grab the characters you display.

The reason people use an image is that it is much harder for the computer to understand.

Depending on your site, it might not be a big issue. Someone would probably have to write a script specifically for your site. The best way to do this is to use an image.

[edited by: coopster at 1:14 am (utc) on Feb. 5, 2007]
[edit reason] removed url [/edit]


7:16 am on Feb 5, 2007 (gmt 0)

5+ Year Member

Thanks for the help.

I really appreciate it.

It's only an attempt to stop email spam. I'd rather not have random emails advertising viagra popping up in my inbox :D

considering the form's uses, it doesn't really warrant the time spent on higher levels of security. I've got other areas of hte site that will need more attention.

Once again, thanks for the help!


7:49 pm on Feb 5, 2007 (gmt 0)

10+ Year Member

Just on a side note, its better if you just create a random 6 letter word and set it in a session, and then make the captcha image read from that session. That way you dont need to send it any strings on the contact page, and have even less chance of getting spam (assuming the image is complicated enough). I say this because I had a similar scenario whereby it would generate a random md5 hash and send it like this:

<img src="catcha.php?code=1f3870be274f6c49b3e31a0c6728957f">

And then the captcha.php would simply display the last 6 digits (28957f). But someone figured this out and I got a load of spam as a result, so just a suggestion for you ;-)


2:54 pm on Feb 6, 2007 (gmt 0)

5+ Year Member

Thats what I've done.

I don't like having PHP variables visible in the URL. So I decided to store the code in a session variable.

Tidy URLs. Slightly harder for the spammer :)


4:36 pm on Feb 6, 2007 (gmt 0)

10+ Year Member

Here's what I do that seems to work quite well:

I ask the person submitting to "Please enter this random value (to prevent spamming)" into <input type="text" name="random" size="20">

This function generates a random number that I display to be copied:

function generateRandomPassword ($pwlength = 5)
// start with a blank password
$randompassword = "";
// define possible characters
$possible = "bcdfghjkmnpqrstvwxyz123456789";
// set up a counter
$i = 0;
// add random characters to $password until $pwlength is reached
while ($i < $pwlength)
// pick a random character from the possible ones
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
// we don't want this character if it's already in the password
if (!strstr($randompassword, $char))
$randompassword .= $char;
$_SESSION['random'] = $randompassword;
return $randompassword;

Notice that the random value is also entered into a session variable.

$matchvalue = $_SESSION['random'];
$_SESSION['random'] = '';
$random = $_POST['random'];
if ( ($random) && ($matchvalue == $random) )
{ // add to guestbook code here }

HTH, Jenny


2:55 pm on Feb 8, 2007 (gmt 0)

5+ Year Member

Awesome stuff! Thanks sooooo much for the detailed reply!

I really appreciate.


Featured Threads

Hot Threads This Week

Hot Threads This Month