Tuesday, August 18, 2009

PHP Add Captcha Protection To Web Forms

SkyHi @ Tuesday, August 18, 2009
I own a small business website. However, bots started to abusing my forms such as contact.php. How do I stop bots bots from abusing my site? How do I tell if PHP form is submitted by a person or a script?

You need to use a Captcha, which is nothing but a type of challenge-response test used by yoy to ensure that the response is not generated by a bot. There are plenty of libraries provided for PHP. I recommend the reCAPTCHA PHP Library, which provides a simple way to place a CAPTCHA on your PHP forms. It can stop bots from abusing it. It works with the reCAPTCHA API.
Step # 1: Get reCAPTCHA API Library

Visit reCAPTCHA website to sign up for an API key (it is free). Please note down your private and public keys.
Step # 2: Download and Install reCAPTCHA PHP

Download the reCAPTCHA library from Google code repo:
$ cd /tmp
$ wget http://recaptcha.googlecode.com/files/recaptcha-php-1.10.zip
Unzip recaptcha-php-1.10.zip, enter:
$ unzip recaptcha-php-1.10.zip
Finally, copy recaptchalib.php to the directory where your forms live. For e.g. if your contact.php is at /var/www/html, copy recaptchalib.php as follows:
$ cp /tmp/recaptcha-php-1.10/recaptchalib.php /var/www/html
Step # 3: Test It

Create a php script as follows:


<html>
<head>
<title>Sample Email Form</title>
</head>
<body>

<script>
function checkForm() {
if (document.forms.myphpform.elements['yname'].value.length == 0) {
alert('Please enter a value for the "Name" field');
return false;
}
if (document.forms.myphpform.elements['email'].value.length == 0) {
alert('Please enter a value for the "Email" field');
return false;
}
if (document.forms.myphpform.elements['message'].value.length == 0) {
alert('Please enter a value for the "Message" field');
return false;
}

return true;
}
</script>
<form action="?done=1" method="post" name="myphpform" onSubmit="return checkForm()" >
<table border=0>
<tr>
<td>Your Name:</td>
<td>
<input type="text" name="yname" size="50" maxlength="50" value="" /></td>
</tr>
<tr>
<td>Your Email:</td>
<td>
<input type="text" name="email" size="50" maxlength="50" value="" /></td>
</tr>
<tr>
<td>Message:</td>
<td>
<input type="text" name="message" size="50" maxlength="50" value="" /></td>
</tr>
<tr>
<td>Are you a human being?</td>
<td>
<?php

@require_once('recaptchalib.php');
$publickey = "YOUR-PUBLIC-KEY";
$privatekey = "YOUR-PRIVATE-KEY";

$resp = null;
$error = null;

# are we submitting the page?
if ($_POST["submit"]) {
$resp = recaptcha_check_answer ($privatekey,
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);

if ($resp->is_valid) {
$to="you@example.com";
$subject="Feedback from example.com";
$body=" Message via webform:

Name: " .$_POST["yname"] . "\n

Email: " .$_POST["email"] . "\n

Message: " .$_POST["message"] . "\n";
/* send email */
mail($to,$subject,$body);
echo "

Email sent!

";
exit(1);

} else {
echo "Sorry cannot send email as you've failed to provide correct captcha! Try again...";
}
}
echo recaptcha_get_html($publickey, $error);
?>
<td/>
</tr>
<tr>
<td> </td>
<td>
<input type="submit" name="submit" value="submit" /></td>
</tr>
</table>
</form>

</body>
</html>






Sample Output:
Fig.01: PHP Captcha in Action



You can see working captcha example by visiting this url.

Referece: http://www.cyberciti.biz/faq/php-captcha-class-simple-php-captcha-example/