Securimage PHP Captcha

There is a bug in the Securimage class. the error was:

Notice: Undefined property: Securimage::$shadow_text in securimage.php on line 652

This can be easily fixing by adding

var $shadow_text

to the top of the class where you define the rest of you variables.

Thanks for pointing this problem out. The code has been updated and the fixed version is now available for download.

By Mark Bradley on Jan 16, 2008

PHP Fatal error: Call to undefined function imagecreatetruecolor() in C:\Documents and Settings\*&^*\My Documents\*&%^&*\*(^&*\Secure\Captcha\securimage.php on line 475

This function might not be available if you have an older PHP and GD version, or no GD support at all. Try running the server test script and see if you have GD support. If you do, then you can probably change the “imagecreatetruecolor” to just “imagecreate” and it will work okay. To enable GD support on Windows, you should edit the php.ini file that is used and uncomment the line that has ;extension=php_gd2.dll by removing the semi-colon.

By Mark on Jan 23, 2008

where and how is a custom image used as a background for the captcha?

Thank you
Michael

In securimage_show.php, there is a call to $img->show(), which lets you pass an image file to be used for the background.

$img->show('/home/mysite/www/images/bg.jpg'); // This is an example of using a background image

By MIchael on Jan 31, 2008

Hi,

Congratulations for this great script.
It’s just what I’ve been looking for.

The thing is though, it works (captcha doesn’t fail) when I test my site on local machine (localhost) but when I upload the site on my server, captcha fails even if I enter the correct message.
Must have something to do with Sessions.

Looking forward for a reply!

Keep up the good work guys!

You are probably right that it has to do with sessions but without seeing any code it is hard to determine exactly where the problem is.
Securimage will try to grab an existing session if there is one, and if not it will try to start its own. The problem with this is if there is no session in place and your validation script already outputs data (i.e. header HTML) before a new Securimage object is created, then the session_start inside Securimage fails and outputs an error if errors are configured to display in php.ini.

<?php session_start(); ?>

<?php error_reporting(E_ALL); ini_set('display_errors', 'on'); ?>

I would try number 1 first because I think that will fix it for you. If not try two and if you still can’t get it working post back with any new information and I will see what I can do for you.

By Theodor on Feb 5, 2008

Hi,

Am trying to integrate Securimage into my site which uses Tectite FormMail. I’ve got the CAPTCHA displaying fine but am struggling with the validation as new to PHP and am not sure exactly where to place the code in the form handler script (it’s 9,883 lines long!). If I supply a copy of the file is anyone able to point me in the right direction?

Cheers

John

By alphabetsolutions on Feb 7, 2008

Hi,

I have successfully implemented Securimage into my request a quote page. I was getting bombarded with form injection spam so this will be a great defense. The way the script currently works on my site is the validation is of the captcha entry is performed on the estimate page. This is the final page where the total is displayed and a copy is emailed to me.

How would I implement this to stay on the page that has the submit button? I would like if there was an error to just show an error message, stay on the same page and not allow the user to even get to final estimate page? Unless captcha entry is correct that is!

Also, how do you get the single captcha field to be cleared when the error occurs?

This script was by far the easiest of the many I have tried!

Thanks for an awesome product!

Something like that could be done using AJAX, but since spambots tend not to pay any attention to JavaScript, the most secure method is purely server-side validation. Typically when I do web forms similar to yours, I have the form post back to the same PHP script so that if there are any errors, I have all the form field values available and can simply re-display the form with the appropriate error messages and repopulate it with the values entered by the user. Without modification to the Securimage code itself, there is no completely safe way to do Ajax validation but I think it would be good functionality to add to the upcoming version.

 <input type="text" name="name" value="<?php echo @$_POST['name']; ?>” />

If you have any other questions feel free to leave a comment with them or get in touch using the email address in the README.txt file that came with the script.

By Paul on Feb 16, 2008

I have tried this script and it works very well.
There is just a problem with multiple use of the class :
1. user A open the form, he start filling it and enter the captcha code he see (first request for secureimage_show)
2. user B open the same form (second request for secureimage_show)
3. user A send its form, the check method will try to match the captcha code entered by the user A and the the last captcha code created (those which is display on the user B form)
4. user A must reload an image or entered the user B captcha code…

I hope it’s clear enough

Each Captcha code is stored in a PHP session file which is unique to each user and is based on a cookie. Because of this Captcha codes generated by other people seeing the image do not affect other codes. Each user however, can only have one code assigned to them so if they load the image once on the form and then view it again by the URL, the code showing on the form is no longer valid. Perhaps this is where the confusion came from?

By vichenze on Feb 19, 2008

hi, and thx for your code.
im trying to implement it at
http://www.micromediaargentina.com.ar/formularios-varios/validacion-de-formularios/sec/contactar-comprar-online.php

which then ( using: method=”get” )goes to :

http://www.micromediaargentina.com.ar/formularios-varios/validacion-de-formularios/sec/procesar-comentarios-cotizaciones.php

im always getting the CODE WAS WRONG, error message.

is ok at the beggining of the message..

the FORM CODE is here:
http://www.micromediaargentina.com.ar/formularios-varios/validacion-de-formularios/sec/form-code.txt

the FORM PROCESSOR CODE is here:
http://www.micromediaargentina.com.ar/formularios-varios/validacion-de-formularios/sec/form-processor-code.txt

in case you or anyone could check it a little… let me know here or at matias ATATAT micromediaargentina.com.ar

thanxs

Hi, It looks like if you change the

$_POST['captcha_code']

$_GET['captcha_code']

in your form processor code then it should validate okay.

By matiasn on Feb 19, 2008

This looks cool, but I’m having trouble using it with smarty. I’m not a very skilled PHP coder…

In my setup, I have submitrfp.tpl.htm which contains all the content for the form and I have subitrfp.php which is the logic for processing the form. I tried splitting the code into those places but the image did not generate.

I use Smarty all the time ain’t it great? I’ve put the script on a few sites with smarty. In the template file all you really need to do is add a form field for the code entry and show securimage_show.php in an image tag.

<?php

// put this at the top of the form processor
include 'securimage.php';
$img = new Securimage;

// some of your form code here

// where you do error checking
$code = $_POST['code']; // name the form field code
if ($img->check($code) == false) {
  // incorrect code!  output error similar to the other checks in your code
}

?>

If you need some examples I can send some to you if you just email me at the address in the readme file.

By Lorin Rivers on Feb 26, 2008

Hello there.
Just found your site. Great job!
I like it much.
look here http://live.com

By Dokmeeplylile on Feb 27, 2008

I’m having the same problem as John from Alphabet Solutions: little php skill - can make the uniqie images display no problem but can’t get the processing script to run. Instead of running it, the browser just loads the processing php script as a blank page. Any suggestions appreciated.

If the processor is showing up blank, it probably means there is a syntax error somewhere. You can try putting

error_reporting(E_ALL); ini_set('display_errors', 'on');

Then it will show the error and help pinpoint the problem.

By Chris Ferne on Mar 17, 2008

Any suggestions on how to integrate your script w/ Tectite FormMail v8.03 (http://www.tectite.com/formmailpage.php)? I see someone else asked this before but didn’t see any response.

I got everything setup but every time I submit the form, I get “The code you entered was incorrect. Go back and try again”.

thx,

SW

For those interested, I am working on a guide to integrating securimage into Tectite form mail which I will post soon.

By SW on Mar 19, 2008

Hi again,

I got it working finally at my site which you have listed in your examples. I had to make a copy of my processing script for my mail list so that other offers that don’t include the capcha were not rejected across the board. My question is about the method used to activate the audio spoken capcha code. I added the file path every way I could think of including putting the full file path without variables, is there a secret activation switch or something? Thanks again for your support.

Iyel

By iyel on Mar 19, 2008

Hi

Thanks for a great script. It works fine on my local machine. When I upload it to my ‘live’ site at http://www.easytitlecreator.com it doesn’t work - no error messages come across, but no graphic is displayed either.

I’ve run your test script and that says all is ok (look at http://www.easytitlecreator.com/test.php) but even there the graphic doesn’t show up. I also can’t get the demo to work on my live site (I have kept the same folder structure as you have in the zip file, if you want to look more closely…)

I also installed other free captcha systems - same issue, so I’m sure it’s not your script. I’m just wondering if you or anybody else can shed some light on this.

My hoster is http://www.godaddy.com if that helps.

Cheers

Martin

I took a look at the url you gave and looks like the problem is here: http://www.easytitlecreator.com/securimage/securimage_show.php When I view that now godaddy is inserting the html footer in it and breaking the image. A solution if possible would be to put a .htaccess file in that directory and add a line with “AddType application/x-httpd-php .png” and rename securimage_show.php to securimage_show.png. Maybe then they wont insert the ads into the image.

By Martin Schmalenbach on Mar 21, 2008

I’ve copied the website with the working captcha from one server to another and did not make any changes to the file structure.
The secure image files and the form processor and the contact form are all in the same folder.
Now the secure image does not load. I see only the place holder. The source code shows:

What is wrong now?
Thank you for this great program and for your assistance.

If you are seeing PHP source code when you try to view the image then it means most likely PHP is not installed or configured on the second server. Try making a file called info.php and putting &lt?php phpinfo(); ?> in it. If you see nothing then php isn’t installed on the server.

By Werner on Mar 22, 2008

securimage.php
LINE 108: var $code_length = 5;

When I change this value the captcha image still only displays four characters. The sample word list has five character words and changing $code_length doesn’t affect the number of character shown.

Thank you for pointing this out. It has now been fixed and is available in the 1.0.3.1 update. See the change log in the package for more details.

By Peter on Mar 24, 2008

I have received the following error:

Fatal error: Call to undefined function imagettftext() in /home/fletch/public_html/securimage/securimage.php on line 657

However, the server_test.php script says it should work. Here’s the output from that script:

* GD Support: Yes!
* GD Version: bundled (2.0.34 compatible)
* TTF Support (FreeType): No
No FreeType support. Cannot use TTF fonts, but you can use GD fonts
* JPEG Support: Yes!
* PNG Support: Yes!
* GIF Read Support: Yes!
* GIF Create Support: Yes!

The reason this error is occurring is because imagettftext function is a part of FreeType which is not supported on that installation. You can still use Securimage but you will need to use gd fonts instead of TTF. See the $use_gd_font variable for information on how to use gd fonts. You can then select a gd font with $gd_font_file.

By Carl Nasal on Mar 24, 2008

Hi, I got this problem. When I added the code to view the captcha, only the background show and no text. I tried on another server and it works fine, just not on this one. I check php version, and all of GD libs were installed. I tried the server_test.php and all were good to go. Help? http://www.faxengineer.ca/securimage/securimage_show.php

This might indicate that the TTF file specified in securimage.php is not in the correct location, unreadable, or perhaps corrupted. Double check the filename is correct and it may be necessary to use a full path (var $ttf_file = $_SERVER['DOCUMENT_ROOT'] . ‘/securimage/elephant.ttf’;). If that does not help try uploading a different font file and trying to use that. If you still have no luck, I can probably take a look as it may indicate an unhandled error.

By Jinn on Mar 27, 2008

Yeah, I tried many different ttf files but none works. What could be the problem?

By Jinn on Mar 27, 2008

Great captcha code! I highly appreciate this contribution. Here, I even added a third arc line by duplicating some of the code in the function that creates it… if you dont know exactly what I speak of… simply paste this right before the last curly brace on the function called arcLines():

$color = $colors[rand(0, sizeof($colors) - 1)];
$linecolor = imagecolorallocate($this->im, hexdec(substr($color, 1, 2)), hexdec(substr($color, 3, 2)), hexdec(substr($color, 5, 2)));

if ( rand(1,75) % 2 == 0 ) {
  $start = rand(92, 143);
  $ypos  = $this->image_height / 2 - rand(5, 15);
  $xpos += rand(5, 15);
} else {
  $start = rand(180, 250);
  $ypos  = $this->image_height / 2 + rand(5, 15);
}
$end = $start + rand(75, 105);
imagearc($this->im, $this->image_width / 2, $ypos, $width, $height, $start, $end, $linecolor);

By J.Morales on Apr 1, 2008

I’m having a strange problem with the code.

I put it on my server and it works fine for about a day - then, after a day, it won’t display the font that writes out the word — but it diplays the background and arc lines just fine. If I reupload the unaltered secureimage.php script to the server, it starts working again. Very weird…any thoughts?

Probably has to do with it not getting the path to the font file correctly. Is it being called from different directories depending on the situation? The remedy can be to try putting the full path to the TTF file in the securimage.php file, like var $font_file = ‘/home/yoursite/www/securimage/font.ttf’; instead of just ./font.ttf

By J. Hough on Apr 16, 2008

I have made progress, no longer getting a blank page. But even when I enter the correct code, all I ever get is the die message, and the script is prevented from running the regular capture function.

This might be because the script that validates the code is not accessing the php session which stores the captcha code properly. Try adding this to the very first line of the validation script:

< ?php session_start(); ?>

Securimage will try to create its own session or use an existing one, but if anything has been output prior to calling $img = new Securimage; and there was no previous session it will not be able to create one and therefore the validation will fail.

By Eric Stahl on Apr 19, 2008

I have
- index.html with check($_POST['captcha_code']) == false)
…
echo ‘ ‘;

If I click on this “back” button (or if I use the “back” button of the browser), then I submit the form again, the captcha check fails.

If I comment the line :
$_SESSION['securimage_code_value'] = ”;
in
function validate()
the captcha check doesn’t fail.

My form :
http://www.ordinateurs-de-vote.org/ethique-citoyenne/

I think the cause of this is validating the code when there are other errors on the form. To prevent the code from being deleted after a successful check, I would put the captcha validation off until the very end. If no other form input errors occurred you can then check to see if the code matched, but if there were input errors then there is no sense to check the captcha code since they will be held up by the other error checking. Hope that was clear and will help you out.

By PierreM on Apr 21, 2008

Hi all
I have the captch script working up until the point at which the post is meant to redirect to a thank you page but it just goest to a blank page with url http://www.lifeinsurancectr.com/scripts/feedback.php

feedback.php is the form processing script which should redirect back to the index page after a successful post.

Any idea what i have to add to the script to fix the redirect.

Many thanks

David

Hi, a lot of times the blank page means there is a PHP syntax error one place or another in the script which prevents it from loading. If php is set not to display errors (display_errors ini setting) then the page will show up blank.

ini_set('display_errors', 'on');
error_reporting(E_ALL);

That can help by at least showing what line the error occurred on to make it easier to find the problem.

By David on Apr 23, 2008

hi, i don´t know if i should place this here, or if you think this would help anyone, but ive made a step by step spanish tutorial
to help installing this captcha.

By matiasn on Apr 25, 2008

Hello,
First thanks for this cool script..
I have a ongoing project called ‘PHP-BLAST’,
and I’m concerning add your script to my project

http://www.avalon-knights.net/main/index.php?mode=user_info&act=new

As you see on the page..for now..i do my captcha as old php-nuke style..and I think it’s very weak for spambots nowadays.

Oh a question..
How do I make the text as sound file as you do?
I tried but generated WAV file is always corrupted.
Is there any limitation for it? such PHP version?

Cheerz,
-Grinder-

Hi, Thanks for the interest in this project.

Hope that helps you out, if not feel free to email me with the contact form.

By Grinder on Apr 25, 2008

Ok I have it working now except my form requires a username and if I do the captcha wrong and put in a username then it tells me I got the captcha wrong so I go back and try again but then if I put in the same username, it says that username was already in use. It is submitting the info even though the captcha is wrong. Please help with this. Thanks.

Sounds like this is part of a registration form? If so, you want to make sure the captcha checking is with any other error checking and happens before any of the data is processed.

Also it is best for certain types of forms to only check the captcha after all other error checking has been completed and there were no errors with the input.

By Sunny on Apr 29, 2008

Yeaaa I got it now. I had the code in the wrong spot. I guess I was suppose to put it before the error checking of the rest of the form.

By Sunny on Apr 29, 2008

Where is a good place to get some background images for this script? I like some of the backgrounds on the gallery page of this site but don’t know how to get them. Thanks

I made a couple of them on that page in Photoshop but thats not really my thing so they are the bad ones But I tried a google image search for “abstract images” and a lot of pretty usable images came up. You could crop out a certain part that has a good effect and make a pretty good background with it. Probably a few other good search terms that would return good results.

Good luck!

By Rob on Apr 29, 2008

I copied the files to my server and ran the server_test script. All seems fine (except no FreeType support). However when I run secureimage_show.php I get a blank page, no errors (php error checking is on), no captcha.
What could be wrong?(http://www.dreambabys.nl/securimage/securimage_show.php)

I’m guessing that there is an error with either one of the GD functions or perhaps when a setting was changed a semicolon went missing or something. display_errors is probably turned off on the server which is why the page is blank. If error reporting is set properly try adding the ini_set(’display_errors’, ‘on’); line at the top of securimage_show.php just after the < ?php tag. If that works then feel free to email me or post back and I can take a look and help you get it going.

By Jurjen on May 2, 2008

Thanks… It’s working now. No errors showed up because the error message was suppressed by the @-sign on line 657.

By Jurjen on May 3, 2008

I’m having a similar problem as another person on this FAQ but you answer doesn’t seem to help the problem. The issue is, if someone fills out a form, and gives a wrong captcha code, the error message comes up saying so. Then the user clicks the back button on their browser, and the captcha code displayed is the same as it was before however your script seems to have generated a new code in the background, so no matter what the user types in for the code, it is incorrect. The only way to get it to work is refresh the page or click Reload next to the captcha. Is there a way to have the code either NOT regenerate a new # like it is currently doing, or FORCE a new image to be displayed with the newly generated captcha? Thanks!!

By Rob on May 4, 2008

Hi Jurgen… I ran into the same issue as you, but your cause could have been posted!

Here is it. If when running server_test.php you get “TTF Support (FreeType): NO”, then modify line 143 to be “true”:
var $use_gd_font = true;

Ideally, the script should check TTF Support and act accordingly.

By Francois on May 7, 2008

Hi again. I would like to submit for a quick and easy enhancement that would secure the captcha. Instead of storing the captcha plain text itself in a session cookie (which could be read), you should store the MD5 of the generated text, and comparing with the MD5 of the user’s input.

This way you avoid bots that will read their own session cookie, since the value in the cookie will be different than the text entered by the user.

Contact me if you need help with this.

Francois

It does use sessions to store the code but the only thing that is sent to the client is the session id, the actual code is stored on the server with any other session data. Someone could intercept the session id but still would not be able to read the code.

By Francois on May 7, 2008

Cant get the image to display and have tried most things. Dont have access to TTF.

Test Script
http://www.trevross.co.uk/test.php
My test form
http://www.trevross.co.uk/enquiry2.php
Process form
http://www.trevross.co.uk/formprocess2.php

I am probably missing something silly.

HELP!!! Cheers

I took a look by calling the securimage_show.php script directly and it output some errors that helped explain the problem. It looks like the include is calling “/securimage/securimage.php” which is looking in the wrong place for it. If you change it to include $_SERVER['DOCUMENT_ROOT'] . “/securimage/securimage.php”; then it should start to work fine.

By Tony Fellas on May 9, 2008

Thank for the quick response. I tried what you said but no Joy only errors again.

I re uploaded the original securimage files. The image didnt not load. When you right click on where the image should be the properties show…
http://www.trevross.co.uk/securimage/securimage_show.php
Put that in the address bar and there are no errors.

By Tony Fellas on May 11, 2008