Keeping Your Site Bot Free with “Captchas”
p. I hate bots on the net. (Except when I’m using them to “drive traffic to my blog”:http://ars.userfriendly.org/cartoons/?id=20060321.) But as a web programmer they are a pain in my Ethernet port if you catch my drift. So how do you keep them out but let people in? You use those little boxes of random letters and numbers that you can read and decipher but (currently) computers can’t.
p. The technical term for these images is “Captcha”:http://en.wikipedia.org/wiki/Captcha. They are used to protect your site by showing something that a computer can’t recognize but a human can. (most of the time) They are usually placed on your registration page but they can be placed anywhere you want to make reasonably sure you are dealing with a person and not a bot. To use them, you simply place the image somewhere on your page, ask the user what they see and then validate the results. The concept is simple but how do you implement it without sitting at Photoshop all night creating thousands of images? Well, the boys and girls over at “CodeFX.com”:http://www.codedfx.com have put together a little “tutorial”:http://www.codedfx.com/index.php?id=tutorialfull&did=42 to show you how they did it.
p. Most of you will like this, it’s a lot of code and just a few lines about what it does. (If you are in management, you might want to grab a programmer before visiting the page.) The code looks reasonably complete and a quick reading shows that it should do the job. This isn’t the most complex captcha I’ve seen written in PHP. It is however, a simple one that you can use if you want to dive in and figure out what is going on. The code is clean and simple so you can easily grasp and extend it.
p. Reading it over, they don’t mention it directly, but it is implied that you need your copy of PHP compiled with the gd libraries. Also, you will need a TrueType font file. Most machines have some lying around somewhere but if you draw a blank, here’s a hint: “Ask Google”:http://www.google.com/search?q=true+type+fonts and you shall receive.
=C=
3 comments to “Keeping Your Site Bot Free with “Captchas””
August 2nd, 2006 at 3:46 am
Not to spoil the broath or anything, but I feel it is worth pointing out that these image things are not as great as everyone seems to think.
Consider the UK law which states that disabled users should have access to all features on websites (not to mention just good practice and manners). Also what about text only browsers? 2 problems staight away – these users cannot read/see the image, and will not be able to submit forms. Some sites have gone just one step further by allowing the user to listen to the Letters, but this is still not good enough (not everyone has speakers, or can hear for that matter).
So what is the solution??
Well, why not ask the user a general question with only one posible answer? if the answer is valid then they are good to go! php.net have introduced something alone these lines in the comments section of the online manuals. This may not be bullet proof, but is certainly better than stupid messed up images that are hard or impossible to read!
February 25th, 2007 at 4:48 pm
That is to say you could come up with questions that EVERYONE IN THE WHOLE WORLD could answer, good luck with that one.
php.net can do it because if your posting a comment about php you should know php!
So you came up with 100 questions that you could ask that EVERYONE apparently knows the answer to, except for a computer, well..
Why not write a script that reloads your page to grab all your questions, then I’ll sit down for a few hours and come up with all the answers, put them in my script and flood your website with "user authenticated answers".
I agree captcha isnt good for text browsers and possibly some disabled people but I dont think asking questions is going to be a better alternative, for my site I’ll take the security I feel captcha gives me over asking random questions to random people.
I like how php.net does it but php.net is such a specific site its hard to say "what they do works for everyone".
Just my $0.02
April 10th, 2007 at 9:26 pm
Over at TeleportJobs we have created a <a href="http://www.teleportjobs.com/captcha/free_captcha.asp">free captcha</a> service that eliminates the need to generate the image on your server. We serve up the image and you simply make a call to our server to verify the image. Verification can be done using JavaScript so it makes it easy to use and cuts down on the coding you need to do.