Tag Archives: CAPTCHA

reCAPTCHA

I’ve seen this implemented dozens of times on various sites to try and halt the march of automated agents of one form or another – but I’d not realised at all how “easy” it was to implement for yourself – not to mention how cheap ! I’ve spent an inordinately long amount of time reworking the company website ( http://www.thinking-security.com ) and, now that it is up and running, I’ve found that the spam bots are happy to fill my inbox with prime examples of literary genius – I’ve deleted them all, so unfortunately I can’t give an example, but trust me on this, they aren’t Shakespeare …

In any case, the whole concept of the reCAPACHA is to determine if a client accessing a page function is a living flesh and blood client ( e.g. human ) or a machine ( e.g. spambot ) – in the reCAPACHA case it is down to the clients ability to read a blurry word and to enter the corresponding text into the box. The clever part of this particular test is that it aids in the digitisation and OCR of a library of texts – the test is made up of two parts – one scanned word for which the digitised text is known, and one for which it isn’t – not only does this mean that it is very unlikely that a machine agent will be able to read at least one of the words – it gradually builds a library of words that can be successfully digitised. There is more about the way that it works here ( http://recaptcha.net/learnmore.html ) and it is free to sign up …

My implementation is probably the most straightforward that you can have ( although it _still_ took _me_ ages to get it working ! I’m not a PHP programmer even slightly … ) with a simple reCAPACHA display on my webmail form that is required before the user can submit a mail ( http://www.thinking-security.com/contact.html ). The code to display is as follows :

<script>
var RecaptchaOptions = {
 theme : 'clean',
 tabindex : 2
};
</script>

<script type="text/javascript"
 src="http://api.recaptcha.net/challenge?k=6LeuxAcAAAAAALQs9_GdpbsTDl6YiNQKI_e
8Fyjn">
</script>

<noscript>
 http://api.recaptcha.net/noscript?k=6LeuxAcAAAAAALQs9_GdpbsTDl6YiNQKI_e8Fyjn<br>
 <textarea name="recaptcha_challenge_field" rows="3" cols="40">
 </textarea>
 <input type="hidden" name="recaptcha_response_field"
 value="manual_challenge">
</noscript>

This simply puts a box on the page with the two words, the options script allows for the setting of a few little details such as the colour and the language of the challenge, and the code is otherwise pulled from the reCAPACHA site. You can see the public key clearly here, which, as it is a public key is completely fine – the private key is kept in the processing script below, which I’ll be redacting 😉 This is a PHP script which, as well as the reCAPACHA authentication, actually bungs me the e-mail via sendmail as well.

<?php

require_once('recaptchalib.php');

$privatekey="redactredactredactredactredact";

$to = "info@thinking-security.co.uk";
$subject = "Thinking Security Contact Form";
$name_field = $_REQUEST['name'] ;
$email_field = $_REQUEST['email'] ;
$telephone_field = $_REQUEST['phone'] ;
$regarding_field  =  $_POST['regarding'];
$comments_field = $_REQUEST['enquiry'] ;

$resp = recaptcha_check_answer ($privatekey,
 $_SERVER["REMOTE_ADDR"],
 $_POST["recaptcha_challenge_field"],
 $_POST["recaptcha_response_field"]);

if ($resp->is_valid) {
 $body  =  "$name_field\n$email_field\n$telephone_field\n$regarding_field
\n\n$comments_field\n";

 mail($to, $subject, $body, 'From: '.$name_field.' <'.$email_field.'>');

 if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {

 header( 'Location: error.html' );
 exit ;
 }

 header( 'Location: success.html' ); // where they go after the message i
s sent
 exit ;

 } else {
 header( 'Location: error.html' );
 exit ;
 }

?>

And that, ladies and gentlemen, is it – a quick and easy ( and relatively dirty when you look at the e-mail parts of the script ! ) reCAPACHA authentication for your web-based e-mail scripts. There is plenty more information for all different languages ( including Perl, which for some unknown reason best not disclosed I didn’t use. ) so you should be able to integrate it without issue.

Tagged , , ,