Knowledge-based CAPTCHA

@KeveyApr 24.2006

Wondering if anyone had or knows of a script (php or cgi) that functions as a knowledge-based CAPTCHA.

For example, it might say: “Enter the word that is the opposite of hot” or
“What is the name of a house pet that barks?” and validates the input before processing the form.

I have read that spammers have gotten pretty good with pic parsing/OCR…so wondering if knowledge-based is the way to go? Of course it won’t stop folks from comment spamming by hand, but it sounds like it would be effective against bots.

to post a comment

PHP

12 Comments(s) _↴

@bathurst_guyApr 24.2006 — #Just make one up...

@KeveyauthorApr 24.2006 — #Therein lies the problem: I have no experience in this area. I have been looking for an example of the basic framework that I can tweak, but have only been able to find CAPTCHAs with pictures thus far. ?

@bathurst_guyApr 24.2006 — #Ok, well why not create a simple drop down box with the questions that have the values 0-9 (for 10 questions). Let the user choose which question to ask (kind of like the "if you lose your password, whats your mothers maiden name"). Then, have an array that holds the number -> answer.

eg

<i>
 </i>&lt;select name="dropdown"&gt;
 &lt;option value="0"&gt;Opposite of cold&lt;/option&gt;
 &lt;option value="1"&gt;A colour - eulb spelt backwards&lt;/option&gt;
 &lt;option value="2"&gt;A fruit that is yellow that monkeys eat&lt;/option&gt;
 &lt;/select&gt;
 &lt;input type="text" name="answer"&gt;

[code=php]
 $array = array("hot", "blue", "banana");
 if($array[$_POST[dropdown]] == $_POST[answer]){
 echo "Goodo!";
 }else{
 echo "Nup, sorry try again";
 }[/code]

@KeveyauthorApr 24.2006 — #Thanks bathhurst_guy...awesome! I'll have fun with it for sure. ?

@balloonbuffoonApr 24.2006 — #And it'll be an ego booster for your visitors! They will be so proud of themselves when they answer those questions correctly. ?

--Steve

@KeveyauthorApr 24.2006 — #And it'll be an ego booster for your visitors! They will be so proud of themselves when they answer those questions correctly. ?

--Steve[/QUOTE]

LOL...I'll try and keep the questions on the easy side... ?

BTW...I am having fun playing around with the script bathhurst_guy gave me, and am wondering if anyone can tell me how to direct to a specific page based on the answer vice telling whether it is right or wrong.

if correct goto url blah.com

else goto url blah.net

Either way I am having alot of fun. Haven't messed around with any programming like this since my Commadore 64 (with tape drive). ?

@David_HarrisonApr 25.2006 — #The problem with this is that you're giving the spam-bots a 1 in 10 chance of answering correctly, whereas with the the image based captcha there is a much lower chance than that because OCR technology isn't very advanced.

If you were to have an image for the question though, that would be more secure, a knowledge based image captcha, but to keep it as accessible as possible you'd also need to have an audio version of the image.

@KeveyauthorApr 25.2006 — #WOW...it works. Here's the code I used: (THANK-YOU for the direction bathhurst_guy)

[CODE]<?php
 $array = array("hot", "blue", "banana");
 if($array[$_POST[dropdown]] == $_POST[answer]){
 include "search.html" ;
 }
 else
 {
 include "error.html";
 } 

 ?>[/CODE]

Is this the best way to do it? I don't know much about php, but seems it would be pretty easy for a bot to bypass this and inject headers into my mail form anyway...or am I wrong?

@KeveyauthorApr 25.2006 — #The problem with this is that you're giving the spam-bots a 1 in 10 chance of answering correctly...[/QUOTE]

True...I see your point. Perhaps a picture with an associated question about an [I][B]aspect[/B][/I] of the picture would do it. Like: "What item is sitting on the table in the picture?" Or something along those lines. No bot could get that answer.

Now we're rolling...I just have to learn how to make it work now. I was happy just figuring out how to make the else/if thing work (with bathhurst_guy's help)...although I now realize that it won't work for my application. I need a person to fill out the form, then answer the CAPTCHA on the form, and then pass the form info to the php formmail without the CAPTCHA info.

It's fun learning this stuff...it's like learning html/css all over again (except harder).

@balloonbuffoonApr 25.2006 — #I like that idea "what is this picture of?" I think it'd be impossible (at least at the present) for a machine to tell what an image is. Good luck with it!

--Steve

@KeveyauthorApr 25.2006 — #Thanks---any input from anyone is more than welcome...I am not a programmer by any means...if it's not in google i can't git-r-done. ?

@bokehApr 25.2006 — #The problem with this is that you're giving the spam-bots a 1 in 10 chance of answering correctly, whereas with the the image based captcha there is a much lower chance than that because OCR technology isn't very advanced.[/QUOTE]I agree! Even with just 4 characters the number of combinations runs into several million. As far as OCR goes if you give is an easy captcha image of course it will be able to crack it. Here are a few pointers to making your image a bit harder to crack:[list]

[*]Use a variety of fonts.

[*]Fonts with glyphs are harder to read

[*]Angle the text either uphill or downhill and change the angle from image to image.

[*]Optionally place the text along a curve or wave

[*]Use alphanumeric characters for the background as well as the code itself.

[/list]Most captcha breaking is based on a hybrid attack where the captcha is read by a person and then a robot subsequently uses the captcha. This might sound inefficient but it is not because most captcha scripts have an inherent fault. The captcha code is set when the image is first created and remains stored in the session until a new image is requested, overwriting the previous code in the session. Because the image is never requested again by the robot the captha code in the session is never updated so will remain the same over numerous form submissions. This means a human intially reads the image and then the robot keeps the session active (maybe for months) submitting the form whenever it chooses without the need for any OCR software. The way to get around this is to make certain to delete the captcha code from the session after any successful form submission.

Also in #PHP _↴

MySQLi stmt issue Value of print_r()Remote XAMPP server not playing flash content

Success!

Help @Kevey spread the word by sharing this article on Twitter...

Tweet This

Knowledge-based CAPTCHA

12 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Knowledge-based CAPTCHA

12 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

12 Comments(s) _↴

Also in #PHP _↴