[Solar-talk] Image Captchas and RTE's
Clay Loveless
clay at killersoft.com
Thu Aug 3 08:25:17 PDT 2006
On Aug 3, 2006, at 8:06 AM, Rodrigo Moraes wrote:
> Clay, that's a good question. I would just reuse a implementation I
> currently have, which uses for a key to look for a valid solution in a
> database:
>
> <input name="captcha_key" type="hidden" value="ccb53...long hash...
> 5902" />
> <input type="text" name ="captcha_solution" value="" />
>
> When the form is submitted, that row in the "captcha" table is read to
> check if the solution matches. I haven't looked for other
> implementations; and now that you asked... perhaps only the hash would
> be enough?
I think the way I would approach this would be something like a
public key/private key system.
1. Solar.config.php has:
$config['Solar_Captcha_Private'] = 'secret';
2. Generate random string for captcha: $rand
3. $hash = md5($rand . $config['Solar_Captcha_Private']);
4. Generate image that displays $rand, save in tmp dir w/filename
$hash.png
5. Send form with image tag to display $hash.png, field for input of
captcha, hidden input w/$hash as a string ($inputhash).
6. Validate form submission:
if (md5($input.$config['Solar_Captcha_Private']) == $inputhash) {
$valid = true;
}
7. Some cleanup process to clear out old captcha $hash.png images
every so often.
As an add-on, if you wanted to make sure that your captchas expired
after a certain period of time, do the cleanup process a couple of
times throughout, and make sure that the $inputhash not only matches
md5($input.$config['Solar_Captcha_Private']), but also has a file
that hasn't been cleaned out. That eliminates the issue of someone
using stale captchas in some sort of brute force attack.
No sessions, no DB.
On the flip side, using a session variable for the $hash instead of
putting it in a hidden input increases the likelihood that the
intended person is testing against their specific hash.
-Clay
--
Killersoft.com
More information about the solar-talk
mailing list