Designing a Captcha System with PHP and MySQL

Spam is a really serious problem. If you fail to correct this issue with your website or blog, spammers and possibly malicious hackers will take over your domain. The following things can happen:

• If spam is uncontrolled, it can hurt the good visitors to your site. A classic example of this is when a spammer puts a link on your site that points to a malware-infected site, in the hope that visitors might click that link -- which in turn will infect the good visitor's computer.
  
  
• Your reputation will be affected. If you let those spammers make comments on your site, it will cause others to wonder how serious you are about presenting great content.
  
  
• Spammers and malicious types could hack your site, for example using a MySQL injection.

   

There are basically two ways you can generate captcha using PHP. One uses PHP alone; the other can be done using a MySQL database.

This tutorial is intended for an independent web developer needing protection from spam using captcha.

PHP Captcha generation: Basic Principles

Without using a database, one can generate captcha using PHP with GD support enabled. PHP needs GD support to be enabled to perform image processing tasks, such as the generation of captcha images. You can, however, check to see if the GD support was enabled in your Apache server by uploading a script with the phpinfo() function on the root directory, such as the one below:

<?php

echo phpinfo();

?>

Then open it in the browser. For example, if your domain is http://www.domainname.com , then all information about the PHP you are using will be available by typing:

http://www.domainname.com/phpinfo.php

Go to the GD support portion of the PHPinfo results. Yous should see something like the screen shot below:

If you do not have GD support enabled, contact your web hosting agency and ask them to turn it on. If this is not possible, you will need to generate captcha and store images using MySQL, which will not use GD support. This will be discussed in the last part of the tutorial.

Please take this piece of security advice: Remove the phpinfo.php in your server after getting this information. Letting the public access your phpinfo.php poses a security risk.

Suppose you have GD support enabled, which should be true in all cases. You can use the following strategy to generate captcha:

1. You need a separate PHP file containing the script that will solely generate the captcha images. This file will be stored in the local server in the same path as the PHP form script.
   
   
2. You will be calling this PHP script file in the form. When it is called, the captcha images will be displayed on the form. 
   
   
3. Using PHP sessions you can store the generated string to a session variable, which will then be compared with the actual answer by the query. 

The form can only be processed if the captcha has been entered correctly. Only humans have the ability to get text information from images; this is what separates bots from humans.