Protect area within your site (image "captcha")

Okay. So here's a small php-script consisting of 2 files to ensure that no robots enter a vulnerable area and e.g. spam your guestbook, wiki etc. You can test the script online here

protector-script
or download it captcha.zip (2Kb).

The first file loads an image with a 4-number code and holds a form to verify that code. The image is generated in the second file, the appropriate code is transported with a session variable.
Some security topics have been issued:
- variables must be set,
- variables must be of defined type, e.g. POST, SESSION, SERVER (register_globals),
- session variable is destroyed.

file: test2007.php

<?php
# put place of script here
#$site = "http://www.anigators.com";

session_start();
?>
<html>
<title></title>
<body>
<?php
if (isset($_SERVER["HTTP_REFERER"]) &&
    
#(strncmp($_SERVER["HTTP_REFERER"],$site,strlen(site)) == 0) &&
    
isset($_POST["p"]) && !empty($_POST["p"]))
{
    echo 
"you entered: " $_POST["p"] . "<br>";
    echo 
"passcode is: " $_SESSION["cOde"] . "<br><br>";
    if (
$_POST["p"] == $_SESSION["cOde"]) {
    echo 
"You passed.";} else {
    echo 
"You failed.";}
    
session_destroy();  # http://puremango.co.uk/cm_breaking_captcha_115.php
}
else
echo 
"
<img src="
test2007.php"><br>
<form action="
pass2007.php" method="post">
Enter passcode here:
<input name="
p">
<input type="
submit">
</form>
"
;
?>
</body>
</html>


The second file generates a png-image with a 4-number code. The number is disturbed with a random pixel pattern. Position and size of digits is random (within limits). GD's built-in fonts are of size 1-5 only. Bigger or different fonts must be user-supplied. To keep things simple, this script only uses built-in ones. Fore- and backgroundcolor is random. Also the degree of disturbance is random.

file: pass2007.php

<?php
#"captcha"
session_start();
#erstellen von Grafiken mit php und GD, siehe hier:
#http://www.phpcenter.de/de-html-manual/ref.image.html
$cOde 0;
session_register("cOde");
#$_SESSION["cOde"];

#$codelen = 5;
$height 50;
$width 100;
$verrauschung rand(10,15);#in Prozent
                            #(ungefähr, da 100% nicht alle Pixel abdecken)

header ("Content-type: image/png");
$im = @ImageCreate ($width$height)
      or die (
"Cannot create GD-image-stream.");
$background_color ImageColorAllocate ($imrand(200,255), rand(200,255), rand(200,255));
$text_color ImageColorAllocate ($imrand(1,200), rand(1,200), rand(1,200));

for (
$i=1;$i<5;$i++)
{
  
$zahl rand(1,9);
  
$cOde $cOde $zahl*bcpow(10,4-$i);#no magic here, simply create 4-digit number
  
$x rand(2+(($i-1)*($width)/4),-2+($i*($width-15)/4));
  
$y rand(5,25);
  
#font size 1-5, bigger font e.g. http://www.widgnet.com/gdf_fonts/fonts.html
  
$size rand(4,5);
  
ImageString ($im$size$x$y, (string)$zahl$text_color);
}

#zufallspunkte auf der bitmap erzeugen (=Code verrauschen)
$dots $width*$height/100*$verrauschung;
for (
$i=1;$i<$dots;$i++)
{
  
$x rand (1$width);
  
$y rand (1,$height);
  
imagesetpixel $im$x$y$text_color );
};

ImagePNG ($im);
?>


In order to protect your script, just paste following three simple code-pieces (from above test2007.php) into your script: Somewhere at the top of the script place the session initialization

<?
// >>> (1) CAPTCHA needs info-transport via session
  
session_start();
// <<<
?>


Look for the editing part of your script and insert following HTML-code into the < form > area

<!-- (2) CAPTCHA-code -->
<img src="test2007.php"><br>
Enter passcode here:
<input name="p">
<!--     CAPTCHA-code -->


Within the save part insert following code and replace choice (a) with your own routine-call.

<?
// >>> (3) CAPTCHA evaluation
  
if (isset($_SERVER["HTTP_REFERER"]) &&
      
#(strncmp($_SERVER["HTTP_REFERER"],$site,strlen(site)) == 0) &&
      
isset($_POST["p"]) && !empty($_POST["p"]))
  {
      if (
$_POST["p"] == $_SESSION["cOde"]) {
        
// (a) proper number - enter save routine
          
$data rtrim($_POST["content"])."\n";
          
savepage($data);
      }
      else {
        
// (b) wrong number - no failed notice here, simply don't save ;-)
      
}
      
session_destroy();  # http://puremango.co.uk/cm_breaking_captcha_115.php
  
}
// <<<
?>

A TipiWiki-System (version 2) with captcha integration is downloadable tipi-wiki_captcha.zip (19Kb).

Links
captcha, captcha decoder