Check user is human with no captcha

Here is a simple and easy way from PHP to check that a user is human without having to go through the complexities of Captcha - this is very secure thanks to the miracles of MD5 (a non-reversible hashing algorithm) which unlike GD or Imagemagick is part of every PHP installation.

Here is the basic code:

PHP code to check a user is human

Here is how the code to stop those pesky bots works. I will show you how to add this into your application (whether its zend encoded black box code or something you control) in a moment.

Function areyouhuman builds a simple arithmetical question, adding or subtracting a random number between 1 and 190 from/to a random number between 200 and 10200. It then adds a magic number to the expected answer and stores a hidden variable in the form with md5 encoding. This special encryption cannot be reversed (well it can if you have 21 days and a network of playstation 3's working on it) but will always be the same for any given input string. This means that the bot cannot simply pluck and answer from a hidden form field and return it. Above we have set the value $hum to the HTML that is returned by the areyouhuman routine. Here what the output from $hum looks like:

Are you human? 7387 + 137 =

Function checkhum gets the values back from POST that we are interested in - just the answer($ansin) and the expected md5 if its correct ($hans) it adds the magic number to the answer and MD5 encodes it. Now if the answer is the one we are expecting then both md5's will be the same. If they are not we kill the script and stop the bot stone dead (a human can just press the back button and try again!).

Please note this is not 100% secure since a programmmer could grab the maths off the page, work out the answer and send the right one, however nobody is doing this yet. A more secure way would be to use a set of images of numbers and the +/- signs - just remember not to number them 1.jpg 2.jpg etc!

Now how to use the code. If its a form/script you encode then its easy.

How to use the Captcha Replacement/alternative in your code

<?php $button=$_POST['sub']; include_once("checkhum-inc.php"); $msg="Please use a valid email as we will send your password to it!<P>"; if ($button=="Register Now!"){ sleep(5); checkhum(); $email=$_POST['email']; if (valid_email($email)) { register($email); header("Location: http://www.mysite.com/thanks.html"); }else{ $msg='<font color="red"><b>Sorry that does not seem to be a valid email</b></font><p>"; } } print <<<PEND23 <html><header><title>Register</title></header><body> <form method="POST"> <h2>Please Register</h2> $msg Valid Email: <input type=text name="email" size=40 maxsize=100><P> $hum <input type="submit" name="sub" value="Register Now!"> </form> </body></html> PEND23 ; ?>

The above is a simple registration form example. We check the post array to see if its a return from the form or we are simply displaying the page, print displays the page including a message ($msg) and our humanity check ($hum). The result calls our page again (form handily does that if you leave the target out) this time it knows from the button return (and this is how you can process multiple submit buttons on a form) that the registration is requested. We wait 5 seconds (this stops a bot from pounding the script with guesses ten thousand times a second), check to make sure the sender is human (remember the checkhum routine terminates the script if it is a bot) validate the email address and register/redirect if its good or send a message back and redisplay the form if its bad.

Now if you are working on a zend encoded or encrypted script that you cannot alter, or do not wish to alter then you can usually still use this technique. Run the script to get its form up on the screen and view the HTML source. Cut and paste this into a new html or php file as needed. Do a similar exercise to the above but if it passes the human test then send the variables (except the ishuman ones!) to the original script using POST from php. Here is how to do that...sigh.

function do_post_request($scripturl, $data, $optional_headers = null) { $params = array('http' => array( 'method' => 'POST', 'content' => $data )); if ($optional_headers !== null) { $params['http']['header'] = $optional_headers; } $ctx = stream_context_create($params); $fp = @fopen($scripturl, 'rb', false, $ctx); if (!$fp) { throw new Exception("Problem with $scripturl, $php_errormsg"); } $response = @stream_get_contents($fp); if ($response === false) { throw new Exception("Problem reading data from $url, $php_errormsg"); } return $response; } #now create a valid query string using the names your original form needed and the data from your new form $qarray = array('email'=>$email, 'nickname'=>$nickname, 'action'=>'REGISTER'); $data=http_build_query($qarray); $scripturl="http://mysite.com/somezendencodedcrap.php"; $response=do_post_request($scripturl,$data);

This will give you in $response whatever the old script would have sent back to the user (probably an html page saying its all ok or you screwed up). You can if you want display this to the user or parse it for any message and just show them that.

Phew! All done. So now you know how to check for input from a human being without captcha!

Ishuman human input verification demonstration

You are welcome to use any or all of this code. A link back would be nice!

Useful Pages

• PHP Check for Human input
• ASCII Table and Info
• Hexadecimal Converter and Info
• AJAX made simple
• Javascript AJAX Pop-Up Mailer
• Page Redirection Techniques
• PHP Redirect after the Header
• The Unblockable Popup
• Random Page Link or Advert
• Keep your Pages Fresh with PHP
• PHP String Comparison Methods
• Color Scheme Explorer Tool
• PHP Error Messages and Debugging
• PHP Unique File names
• PHP SERVER array use and testing
• Easy Encrypted Communications between sites
• PHP process all files in a directory

PHP Unique Filename Referrers

This list of people who link to this useful page is automagically maintained. Link to us, send traffic, and get listed. Simple.

Ads by - Free Advertising