A very good (and free) captcha class in PHP (Recommendation)

[JoTo]

Hi DCs,

i was in need to protect a submission page of one of my projects with a captcha. So i searched for a good, easy to use, mighty, customizable and free class. I kissed a lot of frogs until i found my prince. I told Mouser in the IRC channel that i now found a very good one (IMHO). I'd better resisted to tell him, because now he urged me to write this post to annoy you all  and share my experience with it.

OK, as Mouser is root, his wish is my command And as the forum search don't showed up a mention of my finding yet, i'm now sitting here and typing. *sigh*

Well i lastly landed and went with SecurImage (http://www.phpcaptcha.org/)

SecurImage sample from my page:


Note:
This captcha is a very easy to solve one. But the "security level" is freely adjustable with every aspect of imagesize, font-facetype, count of distortion lines, amount of text distortion (twisting), text-angle, background color, text-color (even multicolor text is possible), background-image, and, and, and. Also the given audio files for playback are automatically distorted randomly every time they are played back by the class itself, so no need to fiddle around with any audio editor to get them distorted manually and end up with statically distorted audios only.

What is Securimage?

Securimage is an open-source free PHP CAPTCHA script for generating complex images and CAPTCHA codes to protect forms from spam and abuse. It can be easily added into existing forms on your website to provide protection from spam bots. It can run on most any webserver as long as you have PHP installed, and GD support within PHP. Securimage does everything from generating the CAPTCHA images to validating the typed code. Audible codes can be streamed to the browser with Flash for the vision impaired.

Features

    * Show an image in just 3 lines of code
    * Validate submitted entries in less than 6 lines of code
    * Customizable code length
    * Customizable character sets, Unicode support
    * TTF font support
    * Use custom GD fonts when TTF is not available
    * Easily add background images
    * Multi colored, distorted, and transparent text options
    * Customizable Flash button to stream MP3 audio of CAPTCHA code
    * Ability to use a word list

I must say, the package worked right out of the box nicely. Configuration took me only 10 minutes. The longest time i spent on designing my form, which you are totally free to design. No restrictions from the captcha class here.

As this was my very first fiddling with graphics in PHP i was at first a bit concerned about the GD library support requirement. I was not sure if this will work on my webspace (is it installed or not). But calm down...after a quick research i noticed that GD library is implemented in PHP for a long time by default. So if your webhoster haven't explicitly disabled GD library in his PHP installation, this class will work without any prerequisite add-on or installation of any 3rd party stuff except the files that come with the SecurImage package.

I was also capable to add full multilanguage support. Even with multilanguage audio for the visual impaired ones (DE and EN at the moment).

Well i must admit, that i ran into a problem with my german audiofiles. They won't play more than one character of the code, while the english ones, that ship with SecurImage worked well and read all characters of the code in a row. Therefore i contacted the author and got a reply within some hours with a very competent and helpful hint.

For the files (maybe helpful for others that run into this problem as well): The important thing is, that the mp3 audiofiles must not have any ID3 tag in it. The author gave me the right direction and also a (new to me) nice mp3-Tag commandline utility to get rid of the tags in my files. And...tadaaa...after that it worked in multilanguage audio without any further change in the configuration or my code.

Finally i just recommend this class highly to all who search a free, easy to use, customizable captcha class with a kind and responsive author for their PHP projects.

HTH anyone
Greetings
JoTo

PS:
As this class is open source and totally free, i think i don't have to claim that i'm not affiliated with the SecurImage project in any way. I get nothing from the author for this recommendation. I haven't found a "Donate" button on the project page yet, even if i'd gladly sent the author some bucks for his effort. I am just a very satisfied user of the class and glad that such a good piece of software is free available. That's all!

[vlastimil]

I should apologize for this post in advance. I know, you think you have found a very good thing, but I do not believe there is or ever will be a "good" captcha. They are a major annoyance for end users. Putting them on your web site is like saying "I hate you" to your visitors. Spam is your problem, you should solve it. It is not your visitor's problem. They don't care.

I have 0 captchas on my site and the level of spam I am getting is negligible. It is because my forms are protected by other means. I use invisible codes that expire after some time, I do not have the form source code in the html, but use javascript to display it. I submit the forms via ajax. This improves the user experience and prevents spam.

Google for "without captchas" and you'll get a lot of resources. It takes more time to build a site without captchas, but it is worth it.

[Ath]

Finally i just recommend this class highly to all who search a free, easy to use, customizable captcha class with a kind and responsive author for their PHP projects.

-JoTo (April 15, 2011, 02:56 AM)

Reading this very fine mini-review (IMHO), though I do nothing in php at the moment, it's surely one I'm going to remember!

[JoTo]

Hi Vlastimil,

i agree with you that captchas are annoyances. Don't tell that to me as a visually impaired person. *sigh*

But there are situations where you need them. This is my one and only captcha page for now. But it's a license request page and i don't want to get customers loose under a pile of spam. And with your code system you can't even ban a bot cover valuable mails under a mess of spams.

Furthermore i offer a direct license request way directly from the application too. You don't have to visit that page. It's just for the one's that reject to use the "normal" convinient way. And if you want to say i must agree: THAT people that don't use the recommended way i hate, yes, yes and yes!

So if we agree that captchas are bad at all, and that there ARE situations where you need one, my finding is still one of the better ones.

And as we talk about Javascript. What if you have customers with JS disabled? Doesn't that mean you hate them when you make your pages unusable without JS? E.g. in my browser JS is disabled and scripts are blocked all the time unless i allow a page to execute scripts. How annoying if i have to enable scripts all the time.

And there is no need for an excusation anywhere. Thank you for your thoughts and as you see, we aren't far away from each other, are we?

Greetings
JoTo

[cranioscopical]

i'm now sitting here and typing. *sigh*

-JoTo (April 15, 2011, 02:56 AM)

And thank you for the effort!
It's good to learn about items like this, to keep in a back pocket in case of need.

That mouser, what a slave driver! 

[vlastimil]

So if we agree that captchas are bad at all, and that there ARE situations where you need one, my finding is still one of the better ones.

And as we talk about Javascript. What if you have customers with JS disabled? Doesn't that mean you hate them when you make your pages unusable without JS? E.g. in my browser JS is disabled and scripts are blocked all the time unless i allow a page to execute scripts. How annoying if i have to enable scripts all the time.

-JoTo (April 15, 2011, 08:54 AM)

I guess, the way your use of captchas is perfectly fine. If you do not actually want people to use that form, captcha is a good way .

It is true that some of the functionality of my pages will not be available to people with JS disabled. This affects 1-2% of visitors - captchas in wrong place affect 100%. I am happy with that state, especially when the interaction with the web is way smoother for the 98-99% with JS on.

[rgdot]

In registration and contact form situations captchas are as close to ineffective as one can get, in those and most other situations one really should use a question/answer script.
As an inconvenience it is only mildly so in my opinion, I think by now most understand why they exist and accept them, it's worse if they are not effective - so later the user doesn't see its benefit - which takes us back to using question/answer.

[Renegade]

I should apologize for this post in advance. I know, you think you have found a very good thing, but I do not believe there is or ever will be a "good" captcha. They are a major annoyance for end users. Putting them on your web site is like saying "I hate you" to your visitors. Spam is your problem, you should solve it. It is not your visitor's problem. They don't care.

I have 0 captchas on my site and the level of spam I am getting is negligible. It is because my forms are protected by other means. I use invisible codes that expire after some time, I do not have the form source code in the html, but use javascript to display it. I submit the forms via ajax. This improves the user experience and prevents spam.

Google for "without captchas" and you'll get a lot of resources. It takes more time to build a site without captchas, but it is worth it.

-vlastimil (April 15, 2011, 03:45 AM)

Custom solutions always work better because any solution that gains any kind of popularity is targeted by spammers.

Form protection with custom IDs and names is fairly easy to break though. Codes are the same. I came across that on one site I was doing some automation with. It took a few extra minutes to get things working.

But using JavaScript and AJAX is a good deal better to protect things. It forces you to check the rendered document, which is more difficult than simply walking the DOM to find things.

+1 for no CAPTCHAs. They're simply horrible to deal with. I've been at sites that I couldn't figure out the CAPTCHA for. Not fun.

[mahesh2k]

I don't care for readers if they can't understand my trouble with bots and russian captcha breaker sites. I need to use captcha if captcha breaker sites or xrummer or similar sites hurt my blog or site. Economic times are very hard, if i have to choose between captcha and readers, my vote goes to captcha. Readers (which are not converting for me in terms of any value) are not helping me in any way. I have to sort spam and server load if i don't pay attention to spam bots or manual spammers. So i'm with captcha, as long as it gives me result.

[Renegade]

I don't care for readers if they can't understand my trouble with bots and russian captcha breaker sites. I need to use captcha if captcha breaker sites or xrummer or similar sites hurt my blog or site. Economic times are very hard, if i have to choose between captcha and readers, my vote goes to captcha. Readers (which are not converting for me in terms of any value) are not helping me in any way. I have to sort spam and server load if i don't pay attention to spam bots or manual spammers. So i'm with captcha, as long as it gives me result.

-mahesh2k (April 16, 2011, 07:03 AM)

I'm not sure I know what you mean there.

[Carol Haynes]

Rather than using annoying captchas why not have a random general knowledge question from a list. Choose one word answer questions that anyone with half a brain knows the answer to but bots can't do. Helps the visually impaired than because they can use a screen reader to work out what is required!

[Renegade]

Rather than using annoying captchas why not have a random general knowledge question from a list. Choose one word answer questions that anyone with half a brain knows the answer to but bots can't do. Helps the visually impaired than because they can use a screen reader to work out what is required!

-Carol Haynes (April 16, 2011, 12:13 PM)

But what would that be?

The problem is that problems like that (e.g. CAPTCHAs) are more easily solved by computers.

Lists are easily broken.

[Carol Haynes]

Lists are easily broken if they are in common use - but how about  individual lists designed for a specific website?

You could have a long list of very stupid questions like:

what colour is blue grass?

To a human the answer is obvios but not to a computer. If that question appears on one website how long is it going to take a bot to crack it?

If the website is not intended to be for locals only then you cold ask very specific questions that only locals can answer.

[vlastimil]

I do not consider questions better than awkwardly twisted words. It shall not be the user's task to prove that they are human.

Spam only works because it is automated and stock CMS solutions are low hanging fruits, especially the free ones like Wordpress or Drupal. By adding a bit of a non-standard code, the problem is solved. A spammer will not bother writing custom script for just one website. And if they do, the webmaster can react by changing a little detail. The spammer has to spam 100s of webs, while the web owner only has 1 (or a few) to care about. Web masters, who care, win easily.

(Of course, if a web site owner has dozens of sites, then I understand they would want to use captchas. In that case, I have my doubts about the quality of the sites. It takes a lot of time to maintain and add valuable content to just a single web site.)

[mahesh2k]

Rather than using annoying captchas why not have a random general knowledge question from a list.

Lists if are limited in number can be easily broken because there are sites which pays users to break captcha for 0.01$/captcha for succesful 50 breaks and 0.001 if there are mistakes. Plus there are softwares like xrummer and scrapebox which are built so effectively that they can create mass accounts to spam on forums, blog comment etc. These softwares attack at the rate 1000 comments per minute or more depending on server strength/software type. Random stupid questions are likely to work but they're limited in number and if humans are cracking captchas for low cost then they're not effective at all.

Splashpress media, Demand media and many other webmaster who employ writers to write on their sites use captchas or IP block softwares to get rid of comments which are junk or attack content. It's useless to think about non-paying reader to your content sites reputation. You've right to protect your property regardless of readers who moan/whine against anti-spam solution. That's business. Considering the attention span of readers, there are hardly any dedicated readers that sticks to any blog or (free) content website for long. Then there is google algorithm change which hurts site based on spam comment/bot attacks on forums etc. All other SEO factors are there as well which expect webmaster to get rid of that garbage with or without traffic. Captcha is the solution to consistent spam problem, so if it works we need to use it. Why bother about freebie readers if they can't understand your problem ?