Recent Topics

1 Apr 01, 2006 17:20    

OK, so I whacked out a script in POVray last night to generate 50 captchas (I let it run an hour - I can potentially crank these out by the hundreds), some samples of which look like:

http://www.penguinpetes.com/captcha_images/1.jpg
http://www.penguinpetes.com/captcha_images/2.jpg
http://www.penguinpetes.com/captcha_images/3.jpg

now, my plan is to load them into a directory on my site, change their names to something generic, make a list of the generic filenames and the "correct answer" strings to each one, and then have a PHP script which selects the image at random, looks up the correct answer in the table, and presents the user with the simple text entry form. If passed, they go on to the comment form (or maybe I'll just require it for becoming a member, and let only members post comments). If it doesn't pass, give the user three chances...but what do you do if the user has failed all tests? Close the browser window? Redirect them to a "goodbye" page?

I have a feeling I'm being completely naive about this. Would my plan work? What would be required of my host's server to generate the images on the spot, and hence use a ready-made package like what I'd find at hotscripts.com?

2 Apr 01, 2006 17:43

Hi Penguin. There is already a [url=http://forums.b2evolution.net/viewtopic.php?t=2976]captcha hack[/url], and in the next release there will be a captcha plugin. Having said that, there is no reason at all why your method won't work. I guess technically it's a bit easier since your server doesn't have to generate images on the fly, but that's only a technical guess.

What you do upon failure is up to you. I say send the visitor back to the comments page with their comment intact so they can try again - and again - and again - until they get it right or give up. Keep in mind the only people trying are real people. Spam-bots won't go through the effort. Er... real people that can see and allow images.

Anyway there's no reason why it won't work. I guess the only issue would be how can anyone and everyone out there get pre-made captcha images like that? Would you consider whipping up a hack/plugin that has a few hundred of these images available?

3 Apr 01, 2006 17:58

"Would you consider whipping up a hack/plugin that has a few hundred of these images available?"

Joy...My total experience with PHP so far is four tutorial demos and a template edit, now people want my work... OK, anything I come up with I'm happy to share, but I can't promise doodly.

I would love with all my heart to share the POVray script, but users would need POVray and perhaps the modeler, and it needs some human interaction to run each instance, and you'd also have to hack it to read the fonts from wherever you had them on your setup...generally, it works for me, but it would be sadistic to expect somebody else to deal with it...

But I'll be only too happy to share the generated images! Perhaps I should just create a new page on my site to post them all, and give everybody a link there? Or should I upload a tarball to this forum for download?

And what about the stuff I hear about work-arounds for captchas? I've heard there's scam sites out there which flash a captcha and ask a user to type it in, and thereafter that image is "tainted" because a spammer knows what it is. For that matter, if I leave the picture named after it's string (as I did with the three posted here) couldn't a script find out the names of the images i.e. with curl or wget? Or is all this just rumors?

4 Apr 02, 2006 00:13

Update:

OK, I did "v2.0" of the POVray program and gave it a BASH frontend. Now, I just type "Captcha.sh 100" for 100 images and leave it buzz. Then I can go through them with a gallery viewer like gthumb and weed out the ones that turn out too illegible - I have it knocked down to only 8% rejects. When I'm satisfied with the batch, I run a post-processor which generates the codes in a textfile list and renames each picture in sequence "1.jpg, 2.jpg" etc. So, according to
http://www.tutorialstream.com/tutorials/php-mysql/basic_random_image.php , I can then pick a $RANDOM, use that as both the image filename and the line number of the codelist to get the "correct answer", and it should work.

If this works, I'll post the code. If it doesn't work, send St. Bernards w/ whiskey barrels.

5 Apr 02, 2006 15:30

OK, I gotta ask: which file is it that contains the code to generate the comments form? I have simple proof-of-concept at http://www.penguinpetes.com/test.php *note because the form calls itself, it will always show 'fail', but you can see it knows which picture it's displaying because I have it echoing the code right beside the picture! Now all I need is to snuggle it right under the posting form, and have the same gizmo that checks if the user enterred a valid email - a similar trap could fail on noting the code isn't filled in. Just need to know which part does that for all skins...

pictures are @ http://www.penguinpetes.com/captcha_images/ if y'all wanna scoop 'em...my image generator is fully automated, so I can leave it run all night if need be; just ask and I can dump a bunch more there, I have plenty of room on my host.

But all of this might not be permanent, if this doesn't work out.

6 Apr 02, 2006 19:07

Either skins/_feedback.php or skins/skinname/_feedback.php will make the form the visitor fills in. htsrv/comment_post.php is where all the checks on the submitted form are done.

7 Apr 03, 2006 23:50

Got it! To see a demo, try posting a comment at [url=http://www.penguinpetes.com/b2evo/index.php]my blog[/url]. It uses ALL-CAPS letters and the #s 2,3,4,6,7,8,9 - leaving out 0,1,5.

And the code:


<?php   global $Ccode;
             $Cimages=92;  $Cpath="http://www.penguinpetes.com/captcha_images/";
             $Crandom=rand(1,$Cimages);
             echo "<img src=$Cpath"."$Crandom".".jpg"." vspace='10' hspace='10'>";
             $Ccodelist=file('http://www.penguinpetes.com/captcha_images/codelist');
             $Ccode=$Ccodelist[$Crandom-1];
 ?>
<p>Enter security code:<input type="text" name="Cusercode">
<input type="hidden" name="Ccode" value="<?php echo T_($Ccode) ?>"/>

Which goes in /b2evo/skins/_feedback.php way at the bottom just after the opening "fieldset" tag and before the "div class=input" tag. Replace my http :// adresses with the path to your captcha image's folders and codelist, respectively.

Then put:


if($_POST['Cusercode'] != $_POST['Ccode'])
{
      errors_add(T_('Security code invalid'));
}

in /b2evo/htsrv/comment_post.php anywhere around the other checks for no-email, empty post, etc. (I put mine right between the empty comment check and the flood protection.) It's crude and primitive, but it works. I still need to clean up the system (like decide whether to use all-letters, numbers, what) and write in instructions to user and appologies for inconvenience, and other dressing.

Now, this next part...I posted my system for generating the captcha images and codelist at [url=http://www.penguinpetes.com/pages/code_list.html]my code dump[/url], in the form of two Bash scripts and some POVray code which the Bash script uses to generate the .pov file that POVray will need. It really can take "Captcha.sh 500" at the command line to produce 500 captchas or whatever number you choose! The downside is, users who (a) do not run Linux/Bash (b) do not have POVray or Image Magick or (c) aren't handy with either will be left out! Go ahead and try if you're brave and have POVray installed, they are "Captcha.sh", "captcha_include", and "post_captcha.sh" and the comments are pretty verbose. They will require some tweaking to get them to run on your system depending on where your fonts are, what characters you want to use, etc.

Links to: [url=http://www.povray.org/]POVray[/url]
Some distros which have it: [url=http://www.slackware.com/]Slackware[/url] install,
[url=http://www.mediainlinux.org/]Media-in-Linux[/url] live CD. Most any Linux distro will have both Bash and Image Magick; come to that, you don't *have* to convert .png's to .jpg's, but they do load faster!

This part's just screaming for a better front-end - I'm sorry I couldn't come up with a more user-friendly solution.

8 Apr 04, 2006 00:20

Just a quick note:
You should not post the public and secret key both through POST - one would just have to look at the source code and get the secret key out of the hidden field.

Instead, you'll have to use a "salted public key", which could just be the number of the entry in your image files list - but that would also be quite simple, if you do not delete used keys.

The most secure solution would be, to store the "secret key" (what has to be typed in), in the user's session - just use the $_SESSION superglobal (after doing session_start()).

You might want to take a look at the Captcha plugin that will be available for "Phoenix":
http://svn.sourceforge.net/viewcvs.cgi/evocms-plugins/captcha_img_plugin/trunk/

9 Apr 04, 2006 02:36

Since there is a limited number of CAPTCHA sequences, a spammer can perfectly enter one once to its robot, then submit its spamming comment until it is accepted. If you have generated 500 images, then a spammer can submit all of his spamming comments by submitting in average 250 times the same comment with the same "resolved" CAPTCHA before it is accepted by your blog.

To be efficient, the CAPTCHA should make it more expensive for the spammer to spam your blog than it is worth it. Why not generating the CAPTCHA on the fly?

(Having said that, I'm still wondering how spamming blogs can be efficient in any way to bring customers anywhere... never mind...)

10 Apr 04, 2006 06:57

Uh, yo! This is *totaly* my first go doing anything security oriented, OK? That being said, thank you all for your input, I'm also just learning PHP. In fact, this is my *very* *first* PHP program outside of tutorial lessons. So, uh, like, excuse my retardedness.

Now then:

Why not generating the CAPTCHA on the fly?

No reason why not, except that somebody in here posted about not being able to do that on their server. They asked me if I could slap something together, and I said "fun exercise, wonder if I can?"

Since there is a limited number of CAPTCHA sequences...

Excellent point! My idea was that with the POVray dingus on your own machine, you could concievably crank out 500 hundred *new* ones per week, per day, or whatever's your requirement. But that's kinda silly, isn't it? One should not have to invest such resources. OK, and then the image is picked fresh and new each time, so with no control over which picture will display my known sequence, but given on each fairure, they could just hit the back button and try again with the same image...what do you suggest? Count 5 failed attempts, and then boot 'em out? How do you boot out a user? And set a timeout so they can't come back? With a cookie?

You should not post the public and secret key both through POST - one would just have to look at the source code and get the secret key out of the hidden field.

Instead, you'll have to use a "salted public key", which could just be the number of the entry in your image files list - but that would also be quite simple, if you do not delete used keys.

*smacks forehead* That's right! I could just pass the $Crandom value to _comment_post and have *it* look it up in the list! I intend turning off public read permissions of the codelist for future use, sooooo....would that be good enough, then?

You might want to take a look at the Captcha plugin that will be available for "Phoenix":

Given my own inexperience, that's probably a good idea, folks.

Call me kamikaze, but I'm going to rework this to implement and address as many of the points raised here as I can and continue using this on my own system, just to see what happens. [/quote]

12 Apr 04, 2006 07:05

Got it! And so help me, enterring new subject text in the forum comments of your average forum software didn't *used* to automatically break off and start a new thread,

the rest of this thread is in....[url=http://forums.b2evolution.net//viewtopic.php?p=35237#35237]"Yee HAH!"[/url], where, clearly, I briefly suffered from the delusion that I had solved the problem, though others were quick to point out it's flaws in educational fashion.


Form is loading...