Tuesday, August 18, 2009

PHP Add Captcha Protection To Web Forms

SkyHi @ Tuesday, August 18, 2009
I own a small business website. However, bots started to abusing my forms such as contact.php. How do I stop bots bots from abusing my site? How do I tell if PHP form is submitted by a person or a script?

You need to use a Captcha, which is nothing but a type of challenge-response test used by yoy to ensure that the response is not generated by a bot. There are plenty of libraries provided for PHP. I recommend the reCAPTCHA PHP Library, which provides a simple way to place a CAPTCHA on your PHP forms. It can stop bots from abusing it. It works with the reCAPTCHA API.
Step # 1: Get reCAPTCHA API Library

Visit reCAPTCHA website to sign up for an API key (it is free). Please note down your private and public keys.
Step # 2: Download and Install reCAPTCHA PHP

Download the reCAPTCHA library from Google code repo:
$ cd /tmp
$ wget http://recaptcha.googlecode.com/files/recaptcha-php-1.10.zip
Unzip recaptcha-php-1.10.zip, enter:
$ unzip recaptcha-php-1.10.zip
Finally, copy recaptchalib.php to the directory where your forms live. For e.g. if your contact.php is at /var/www/html, copy recaptchalib.php as follows:
$ cp /tmp/recaptcha-php-1.10/recaptchalib.php /var/www/html
Step # 3: Test It

Create a php script as follows:

<title>Sample Email Form</title>

function checkForm() {
if (document.forms.myphpform.elements['yname'].value.length == 0) {
alert('Please enter a value for the "Name" field');
return false;
if (document.forms.myphpform.elements['email'].value.length == 0) {
alert('Please enter a value for the "Email" field');
return false;
if (document.forms.myphpform.elements['message'].value.length == 0) {
alert('Please enter a value for the "Message" field');
return false;

return true;
<form action="?done=1" method="post" name="myphpform" onSubmit="return checkForm()" >
<table border=0>
<td>Your Name:</td>
<input type="text" name="yname" size="50" maxlength="50" value="" /></td>
<td>Your Email:</td>
<input type="text" name="email" size="50" maxlength="50" value="" /></td>
<input type="text" name="message" size="50" maxlength="50" value="" /></td>
<td>Are you a human being?</td>

$publickey = "YOUR-PUBLIC-KEY";
$privatekey = "YOUR-PRIVATE-KEY";

$resp = null;
$error = null;

# are we submitting the page?
if ($_POST["submit"]) {
$resp = recaptcha_check_answer ($privatekey,

if ($resp->is_valid) {
$subject="Feedback from example.com";
$body=" Message via webform:

Name: " .$_POST["yname"] . "\n

Email: " .$_POST["email"] . "\n

Message: " .$_POST["message"] . "\n";
/* send email */
echo "

Email sent!


} else {
echo "Sorry cannot send email as you've failed to provide correct captcha! Try again...";
echo recaptcha_get_html($publickey, $error);
<td> </td>
<input type="submit" name="submit" value="submit" /></td>


Sample Output:
Fig.01: PHP Captcha in Action

You can see working captcha example by visiting this url.

Referece: http://www.cyberciti.biz/faq/php-captcha-class-simple-php-captcha-example/