Search code examples
phpsecuritycaptchabrute-force

Home made captcha , is it safe?

I've been gathering information about how to protect from brut force attack on the logging page or from the haressment of multiple account creation.

I came to the conclusion (thanks to you guys of Stackoverflow) that the best way would be to use captchas.

But uneasy to read captchas or accented characters may deter users from using a website.

So, I found out an easy to use little script I adapted to my site. It's a simple math captcha proposing to sum up 2 figures from zero to ten. It displays the words 'one' 'two' 'three' ... not the figures.

My questions are :

1) Does this little captcha provide sufficient security in itself ?

2) Is the way I integrated it safe ? ( any way to bypass it ?)

To avoid pasting 800 lines of code I've made a summary, I hope it is clear.

captcha script :

$n1  = mt_rand(0,10);  
$n2  = mt_rand(0,10);  
$fig = array('zero','one','two','three','four','five','six','seven','eight','nine','ten');  
$result = $n1 + $n2;
$sentence = $fig[$n1] .' plus '.$fig[$n2];  
$_SESSION['captcha'] = $result;  
$captcha_label = "<label for='captcha' >How much does ".$sentence."make?</label>";               
echo $captcha_label."</label><input  type='text' name='captcha'  value=''/><br />";                                 
echo "<input type='submit' name='create' value='create account'>";

PAGES:

  • form.php:

all 'create account' input fields + captcha

=> test

  • test.php:

    if($_POST['captcha'] != $_SESSION['captcha']){
    $_SESSION['captcha_control'] = "false";     }

Then all 'create account' $_POSTS are injection tested

If any of them or the captcha returns "false" , the script deflects to => problem.php

  • problem.php:

Echoes the initial form with all "wrong fields" highlighted and a new captcha is displayed, was it right or was it wrong.
validation => back to test.php

Thanks a lot.

Solution

  • Like most simple CAPTCHAs, it will work reasonably well until your site is significant enough for a spammer to spend a few minutes figuring out how to break it. At that point, you will be inundated by spam.

    If you intend to use your own CAPTCHA, this is overkill -- it doesn't even need to be random. Simply requesting users to enter a constant word (e.g, "Type 'orange' into this box") will stop the vast majority of simple spambots.