CAPTCHA Check
In this article I will discuss several ways to check the CAPTCHA field in html forms.
I think, to explain what a CAPTCHA is, it does not make sense, so we will immediately move on to its use.
Today, CAPTCHA is used as one of the main ways to protect against spam, so the site’s normal operation largely depends on its effectiveness.
')
The most widely used CAPTCHA using images with distorted text . But lately, alternatives are increasingly appearing, offering the visitor to answer a question or perform a specific action (for example, choose a picture from several suggested ones).
Whichever of these methods you choose, the principle of working with CAPTCHA remains unchanged.
When creating a form with a CAPTCHA, you must save the correct answer , and after receiving the form data, check the visitor’s response .
More clearly this process is shown in the figure.
Of greatest interest here are two operations:
1. saving CAPTCHA data;
2. verification of the value received from the visitor.
There are three main ways to save CAPTCHA data.
1. using hidden form fields;
2. through sessions;
3. using a database.
Note By CAPTCHA data, I mean: the correct answer, the path to the image (if used), the visitor's ID (if needed).
The first option is the most unprotected. In fact, you send the correct answer to the visitor, and for spam bots, working with a hidden form field is no different from working with a regular one.
The main advantage of this method is the ease of implementation. You just need to compare the values of the two form fields (hidden and filled in by the visitor).
Saving data in a session provides a higher level of security.
The correct answers are stored on the server and are not available to visitors. In addition, in this case it is easy to limit the “life span” of the CAPTCHA, simply by setting the “lifetime” of the session.
True, there is a small problem. Imagine you created a captcha that uses images with text. These images are created each time a form is accessed and stored in a folder.
What happens to these files if the session expires? The answer is nothing. They will pile up and take up space. Those. need a script that periodically deletes obsolete files.
Using a database to store data CAPTCHA is also a fairly safe option, which has its own advantages and disadvantages.
The main disadvantage compared with sessions is the need to distinguish one visitor from another. To do this, you can use its IP address (or a combination of IP addresses and browser data (for example, use the User-Agent header)).
Thus, you can use a table with the following fields to store CAPTCHA data:
captcha_id - primary key;
captcha_time - creation time CAPTCHA;
ip_address - address of the visitor;
captcha_text - the text written in the picture;
pic_name is the name of the picture.
In this case, to retrieve CAPTCHA data, you can use the following query:
The advantage over sessions is that you do not need image removal scripts (a simple SQL query is enough).
A complete example of the implementation of such a CAPTCHA in php is given in the article: “ Add CAPTCHA to the form ”.
You can also watch live demo .
I think, to explain what a CAPTCHA is, it does not make sense, so we will immediately move on to its use.
Today, CAPTCHA is used as one of the main ways to protect against spam, so the site’s normal operation largely depends on its effectiveness.
')
The most widely used CAPTCHA using images with distorted text . But lately, alternatives are increasingly appearing, offering the visitor to answer a question or perform a specific action (for example, choose a picture from several suggested ones).
Whichever of these methods you choose, the principle of working with CAPTCHA remains unchanged.
When creating a form with a CAPTCHA, you must save the correct answer , and after receiving the form data, check the visitor’s response .
More clearly this process is shown in the figure.
Of greatest interest here are two operations:
1. saving CAPTCHA data;
2. verification of the value received from the visitor.
There are three main ways to save CAPTCHA data.
1. using hidden form fields;
2. through sessions;
3. using a database.
Note By CAPTCHA data, I mean: the correct answer, the path to the image (if used), the visitor's ID (if needed).
The first option is the most unprotected. In fact, you send the correct answer to the visitor, and for spam bots, working with a hidden form field is no different from working with a regular one.
The main advantage of this method is the ease of implementation. You just need to compare the values of the two form fields (hidden and filled in by the visitor).
Saving data in a session provides a higher level of security.
The correct answers are stored on the server and are not available to visitors. In addition, in this case it is easy to limit the “life span” of the CAPTCHA, simply by setting the “lifetime” of the session.
True, there is a small problem. Imagine you created a captcha that uses images with text. These images are created each time a form is accessed and stored in a folder.
What happens to these files if the session expires? The answer is nothing. They will pile up and take up space. Those. need a script that periodically deletes obsolete files.
Using a database to store data CAPTCHA is also a fairly safe option, which has its own advantages and disadvantages.
The main disadvantage compared with sessions is the need to distinguish one visitor from another. To do this, you can use its IP address (or a combination of IP addresses and browser data (for example, use the User-Agent header)).
Thus, you can use a table with the following fields to store CAPTCHA data:
captcha_id - primary key;
captcha_time - creation time CAPTCHA;
ip_address - address of the visitor;
captcha_text - the text written in the picture;
pic_name is the name of the picture.
In this case, to retrieve CAPTCHA data, you can use the following query:
SELECT COUNT(*) AS count FROM captcha WHERE word = $userValue AND ip_address = $userIP AND captcha_time > $expTimeThe advantage over sessions is that you do not need image removal scripts (a simple SQL query is enough).
A complete example of the implementation of such a CAPTCHA in php is given in the article: “ Add CAPTCHA to the form ”.
You can also watch live demo .
Source: https://habr.com/ru/post/21386/
All Articles