Simple human verification code.

[CrackFeed.Com]

I hate captcha and I am sure you do to. Here is an alternative that is abit more fun, to me at least.

Put this into a file named whatever.php:

$randnum = mt_rand(1,25);
switch($randnum)
 {
    case 1:
      	$botq = 'What is 5 + 3?';
      	$bota = '8';
       break;
    case 2:
	$botq = 'What is 3 + 2?';
      	$bota = '5';
       break;
    case 3:
	$botq = 'What is 5 + 5?';
      	$bota = '10';
       break;
    case 4:
	$botq = 'What is 2 + 7?';
      	$bota = '9';
       break;
    case 5:
	$botq = 'What color is a lemon?';
      	$bota = 'yellow';
       break;
    case 6:
	$botq = 'What is 5 + 1?';
      	$bota = '6';
       break;
    case 7:
	$botq = 'What is 7 + 7?';
      	$bota = '14';
       break;
    case 8:
	$botq = 'What is 8 + 8?';
      	$bota = '16';
       break;
    case 9:
	$botq = 'What shape has no corners?';
      	$bota = 'circle';
       break;
    case 10:
	$botq = 'What is 6 + 6?';
      	$bota = '12';
       break;
    case 11:
	$botq = 'What is 5 x 3?';
      	$bota = '15';
       break;
    case 12:
	$botq = 'What is 16 + 2?';
      	$bota = '18';
       break;
    case 13:
	$botq = 'What is 20 + 25?';
      	$bota = '45';
       break;
    case 14:
	$botq = 'What is 16 + 4?';
      	$bota = '20';
       break;
    case 15:
	$botq = 'What is 9 + 1?';
      	$bota = '10';
       break;
    case 16:
	$botq = 'What is 7 x 3?';
      	$bota = '21';
       break;
    case 17:
	$botq = 'What is 7 + 7 + 1?';
      	$bota = '15';
       break;
    case 18:
	$botq = 'What is 13 + 3?';
      	$bota = '16';
       break;
    case 19:
	$botq = 'What color is a banana?';
      	$bota = 'yellow';
       break;
    case 20:
	$botq = 'What is 15 - 5?';
      	$bota = '10';
       break;
    case 21:
	$botq = 'Are you a bot?';
      	$bota = 'no';
       break;
    case 22:
	$botq = 'Are you a cylon?';
      	$bota = 'no';
       break;
    case 23:
	$botq = 'Are you from mars?';
      	$bota = 'no';
       break;
    case 24:
	$botq = 'Is Earth a cube?';
      	$bota = 'no';
       break;
    case 25:
	$botq = 'Can pigeons fly?';
      	$bota = 'yes';
       break;
}

Ok, now to the form portion. make sure that your script has session_start() at the top of it and call this before your form starts:

	require('path/to/whatever.php');
	$_SESSION['antibotcode'] = md5(strtolower($bota));
	session_write_close();

Now in your form, add this field, change teh style how you want and dump the paragragh tags if you want. If your form is not inside php tags, remove this ' . $botq . ' and replace it with <?php echo $botq; ?> . I hate design integrated with code, but to each his/her own, right?

<p style="margin-top:0px;padding-top:0;"><span style="color:red;">* Human verification: </span><strong>' . $botq . '</strong><br style="height:35px;" /><input type="text" name="b" /></p>

Ok finally, in the script that you parse the form, you want to do this:

	if (!empty($_POST['b'])) {
		$b = md5(strtolower($_POST['b']));
	} else {
		echo 'Go back and fill out all fields! Pretty please?';
	}
	if (!empty($_SESSION['antibotcode'])) {
		if ( $b != $_SESSION['antibotcode'] ) {
			unset($_SESSION['antibotcode']);
			echo 'Code typed incorrectly. Go back.';
		}
	} else {
		echo 'Hmmm, how did you get here without the proper session being set?';
	}
	unset($_SESSION['antibotcode']);
                // all is good, continue parsing form!

This is just a sample, but it gives you the general idea and you can change it to your specific needs.

* I like this, because I can include some very funny questions to give my guests a giggle as they sign up.


.

 

[CrackFeed.Com]

Note that there are faster and more efficient ways to store the Q and A's. But this is just an example, but it works well.

 

[qbert220]

Great stuff. Thanks for sharing.

You might want to lowercase the visitor's answer before md5ing it to avoid rejecting someone typing "Yes", when you expected "yes".

I personally hate the ones that ask you to complete a word (I find this hard for some reason - I guess just the way my brain is wired). Also some questions are aimed at a particular culture or language variant. This is one I get asked quite often at one forum (it obviously has a limited set of questions):

Finish this word, these fly through the sky, airp????

The correct answer (for me) is aeroplanes, which obviously doesn't work.

I'd probably use arrays for storing Q's and A's.

 

[CrackFeed.Com]

Lol, I just first ran into one of those today at the cPanel boards. I hated it! lol

Thanks for pointing that out, changed

 

[Ik]

You know what! I hate it when the font is unreadable ;-( sometimes I try 3-4 times to get it right

I'm with math. Thanks for the code.

 

[CrackFeed.Com]

Tell me about it, I retried a captcha 7 times earlier. lol

You are quite welcome!

 

[intheflow]

Nice code, thanks for sharing.

Just what I need for my contact form.

 

[CrackFeed.Com]

Thanks and you are welcome

 

[Eric]

I changed 'whatever.php' to the below. I dunno, that switch just made me cringe (not that all these arrays are that much better, but meh :P )

<?php

$questions   = array();
$questions[] = array('q' => 'What is 5 + 3?',             'a' => '8');
$questions[] = array('q' => 'What is 3 + 2?',             'a' => '5');
$questions[] = array('q' => 'What is 5 + 5?',             'a' => '10');
$questions[] = array('q' => 'What is 2 + 7?',             'a' => '9');
$questions[] = array('q' => 'What color is a lemon?',     'a' => 'yellow');
$questions[] = array('q' => 'What is 5 + 1?',             'a' => '6');
$questions[] = array('q' => 'What is 7 + 7?',             'a' => '14');
$questions[] = array('q' => 'What is 8 + 8?',             'a' => '16');
$questions[] = array('q' => 'What shape has no corners?', 'a' => 'circle');
$questions[] = array('q' => 'What is 6 + 6?',             'a' => '12');
$questions[] = array('q' => 'What is 5 x 3?',             'a' => '15');
$questions[] = array('q' => 'What is 16 + 2?',            'a' => '18');
$questions[] = array('q' => 'What is 20 + 25?',           'a' => '45');
$questions[] = array('q' => 'What is 16 + 4?',            'a' => '20');
$questions[] = array('q' => 'What is 9 + 1?',             'a' => '10');
$questions[] = array('q' => 'What is 7 x 3?',             'a' => '21');
$questions[] = array('q' => 'What is 7 + 7 + 1?',         'a' => '15');
$questions[] = array('q' => 'What is 13 + 3?',            'a' => '16');
$questions[] = array('q' => 'What color is a banana?',    'a' => 'yellow');
$questions[] = array('q' => 'What is 15 - 5?',            'a' => '10');
$questions[] = array('q' => 'Are you a bot?',             'a' => 'no');
$questions[] = array('q' => 'Are you a cylon?',           'a' => 'no');
$questions[] = array('q' => 'Are you from mars?',         'a' => 'no');
$questions[] = array('q' => 'Is Earth a cube?',           'a' => 'no');
$questions[] = array('q' => 'Can pigeons fly?',           'a' => 'yes');

$randnum = array_rand($questions);

$botq = $questions[$randnum]['q'];
$bota = $questions[$randnum]['a'];

?>

 

[CrackFeed.Com]

Unless I am mistaken, that will use more resources from having to read all of that, where-as in a switch, it ignores the statements unless the key is matched.

 

[Eric]

Unless I am mistaken, that will use more resources from having to read all of that, where-as in a switch, it ignores the statements unless the key is matched.

Not necessarily. As more cases are added, the switch would become slower at executing than the array's. For this particular situation, the difference in speed of execution is negligible.

My main reason for doing it the way I did, is readability. I think using the array's instead of giant switch statement is much more readable. JMO

 

[CrackFeed.Com]

Yeah, is pretty much up to personal pref unless you add a lot more.

 

[Nodws]

much better to say

$n1=rand(0,9);
$n2=rand(0,9);
$result=$n1+$n2+1; //we add 1, or any
$question="what is $n1 + $n2?";

//we echo the form and hide the result
echo"<form method=post>$question <input name=question><input type=hidden name=result value=$result></form>";

//we validate and subtract 1
if(($_POST[result]-1)===$_POST[question])
{
echo"you are human!"; //hurray, no switch()
}

simple as that

 

[IsaacTacken]

Thanks. I will use this instead of a captcha from now on.

Is there any problem if I replace the questions with my own? Or it doesn't matter to you? :D

 

[CrackFeed.Com]

Nah, change it to fit your needs

 

[Michel2012]

Very Nice Code thanks for sharing this.

 

[OpticPhreak]

much better to say

$n1=rand(0,9);
$n2=rand(0,9);
$result=$n1+$n2+1; //we add 1, or any
$question="what is $n1 + $n2?";

//we echo the form and hide the result
echo"<form method=post>$question <input name=question><input type=hidden name=result value=$result></form>";

//we validate and subtract 1
if(($_POST[result]-1)===$_POST[question])
{
echo"you are human!"; //hurray, no switch()
}

simple as that

That is not right. You are sending the answer in the form. That is very easy to get around.

 

[Name Trader]

Just what I came into this thread to ask if anybody had some code like this. Is this still the recommended method to implement this? The spammers are getting around my Google Captcha implementation.

I see the OP has his account suspended. I don't know what infraction he has, but it would be nice to know when his account will be re-instated.

 

[Chicken]

Just what I came into this thread to ask if anybody had some code like this. Is this still the recommended method to implement this? The spammers are getting around my Google Captcha implementation.

I see the OP has his account suspended. I don't know what infraction he has, but it would be nice to know when his account will be re-instated.

The original and the code Eric posted are still both valid.

 

[OpticPhreak]

The value should go into a session with cookies ON. Hidden fields are very much visible to bots. There is a way around, but more difficult for idiots to figure out.

Soon I will code in GD to Imageize the question.

much better to say

$n1=rand(0,9);
$n2=rand(0,9);
$result=$n1+$n2+1; //we add 1, or any
$question="what is $n1 + $n2?";

//we echo the form and hide the result
echo"<form method=post>$question <input name=question><input type=hidden name=result value=$result></form>";

//we validate and subtract 1
if(($_POST[result]-1)===$_POST[question])
{
echo"you are human!"; //hurray, no switch()
}

simple as that

Here is my rendition.

if(!empty($_POST['a']) && !empty($_SESSION['answer']) && !empty($_POST['captcha'])) {
	function formClean($val) {
		$val = htmlspecialchars(strip_tags(trim($val)));
		return filter_var($val, FILTER_SANITIZE_STRING);
	}
	if (!is_numeric($_SESSION['answer']) || !is_numeric($_POST['captcha'])) {
		redirect('http://xxx.com/invalid_captcha.html');
	} else {
		$captcha = trim($_POST['captcha']);
		$captcha = (int)$captcha;
		if ($_SESSION['answer'] != $captcha) {
			redirect('http://xxx.com/invalid_captcha.html');
		}
	}
        // finish parsing contact data
}

and

$n1=rand(0,9);
$n2=rand(0,9);
$answer=($n1+$n2);
$question='What is '.$n1.' + '.$n2.'?';
$_SESSION['answer'] = $answer;
echo '
		<input type="text" name="captcha" id="captcha" />
		<label for="captcha">'.$question.'</label>					
';

 

[Charles Sweeney]

This is an example of "security through obscurity". It's easy to break by simply visiting the site and making a list of the answers to the small number of questions and feeding them to your bot.

I have never used a CAPTCHA. Mainly because they are a pain for humans and it puts a barrier in the way of the visitor, having to complete another step or jump over another hurdle before reaching you.

If it's for a contact form there's better ways to block spam. Simply blocking "http://" will block most spam, presuming you don't expect your genuine visitors to submit "http://".

You can require a cookie as most spam bots probably won't accept one (though they easily could if they wanted). Just setting the session will set a cookie on a default setup, which you can check for when the form is submitted.

When I owned FormToEmail.com I offered these methods, amongst others.

For me, I would much rather accept spam than miss a genuine enquiry which could lead to a sale. Yes I got spam, but using MailWasher it was very easy for me to quickly delete it.

On the other hand, if your form is for signing up to something, you could get the visitor to confirm their email address before being registered.

The above methods will be good for practically all sites. If the site is HUGELY busy, then maybe there is a case for the dreaded CAPTCHA but even at that, I think I would rather employ people to check submissions. I have a car sales site. A new user can't post a listing until it's been humanly reviewed (i.e. by me). I can check hundreds of listings very quickly as spam or junk stands out a mile, and if I got hugely busy I would be happy to employ someone to do the same thing!