Misstep 10: The CAPTCHA That Couldn’t

Everybody of any technical ability is familiar with CAPTCHAs, where you enter impossibly squiggly words into a box, just to find out it was case-sensitive and that the “q” was actually a “g”. Or, where you select traffic signals, palm trees, or cars.

We’re all just training Google’s AI in the end.

Well, I understood the fundamentals of how this worked back on my forum site I built in 2006 (take a look at last week’s “Misstep” post for more on that).

  • Must consist of images, not text, that was obfuscated
  • Should still be readable to the end user
  • User’s cannot create an account without passing this challenge.

So let’s go ahead and take a look at how terribly I screwed the pooch on this one:

$rnd = rand(0,99999);

$x = strlen($rnd);
for ($i=0; $i<=$x; $i=$i+1)
	$tmp = substr($rnd,$i,1);
	echo "<img src='http://example.com/site/images/verif/" . trim($tmp) . ".png' border='0' />";
	//echo $i . "x" . $rnd;

echo "<input name='vconf' type='hidden' value='" . $rnd . "'></input>";


$i==0; … Yeah man, I don’t know why I didn’t watch my equals signs. n00b I guess.

So, lets chat about how I implemented this:

  • I randomly grabbed a number between “0” and “99,999”
  • Depending on how many characters were in the number, I would output that many numbers within my CAPTCHA, using disparate images. Yeah, I still have them…
My MSPAINT was better than my PHP
  • Finally, populate the input field “vconf” with the random number we generated.

What is a CAPTCHA?

CAPTCHA, or “Completely Automated Public Turing test for telling Computers and Humans Apart” simply provides a challenge where a computer cannot leverage Optical Character Recognition (OCR) to convert an image into text. The entire goal is to make the CAPTCHA information unreadable to a machine.

And yet, here I am, storing that value both within a hidden field, and also within the filenames output to the screen. I didn’t make a machine challenge, I made a human annoyance.

I only accomplished annoying my loyal users

So, in the end, I leveraged the reCaptcha library, because often times you’ll find that there are just people who know how to do it better than me.

Stay tuned for next Tuesday where I chat up even more of my terrible skills.

About Author

Robert Lerner

Leave a Reply

Your email address will not be published. Required fields are marked *