tags:

views:

112

answers:

3
+1  Q: 

Posting to website using captcha

Hi,

Currently I'm wondering if there is a way to post to a website using captcha for a human-check. The following question is asked, ofcourse this is done with random numbers:

Type this number in digits; 'twohundredandfive': [ input ]

The form is sent using AJAX. So when reloading the website the number to be typed changes.

A way to get pass this is reading and converting the number, then post some data, but at the second request the number already has been changed (which is good). But IS there a way to avoid this?

Don't think I'm using this for bad intensions, the described form is used in one of my applications. It is just a check to get sure bots can't get pass.

Thanks so far :-)

+1  A: 

A CAPTCHA should test whether the entity solving it is human. To my eyes, the problem you are setting looks like it would be fairly trivial to solve algorithmically.

Given that a human can pass the test, then it's certainly possible to write an automated bot which will pass it too. As to whether there is a "back door" which allows access without solving the CAPTCHA, only you can decide that by analysing your source code.

Paul Dixon  2009-07-22 09:08:54
absolutely right, solving that captcha should be a very easy, things like that will be no problem for non-humans, so the only thing you do is annoy users. There are some nice CAPTCHA Algorithms, why not using one of those?
Flo  2009-07-22 09:16:05
This captcha is fairly easy to solve by a computer, but my point is if it's save to implement it this way. A new request means a new number, still POST is sent prior to recieving data (the number), it would be a guess which number to send to the server in the POST-request?
Stefan  2009-07-22 15:12:00
My second paragraph addressed this, in other words, a human operating a typical browser can get past this simple CAPTCHA, so it wouldn't be hard to code a bot to do the same. It just has to behave like a browser. A site user could also use a GreaseMonkey script to fill in teh CAPTCHA for them too.
Paul Dixon  2009-07-22 15:57:43
+1  A: 
Traveling Tech Guy  2009-07-22 09:15:22
The trouble with that kitten approach is that you've a 1 in 4 chance of being right. Pretty good odds if success lets you do something like send a spam message.
Paul Dixon  2009-07-22 09:19:48
Also "No one will bother developing an algorithm to analyze photos to that degree" is complete nonsense - computer vision is a very popular and active area of research. There are literally hundreds of computer scientists trying to develop such algorithms. Not for breaking CAPTCHAs, but if they succeed, spammers will certainly make use of the results. The method is viable mainly because it's a hard problem (harder than text recognition) and not yet solvable.
Michael Borgwardt  2009-07-22 09:28:25
Paul - make it 1 in 40 then. Or move the pictures around. Basically, ask a question only a human can answer, rather than confuse humans :)Michael - with some pictures, it's impossible to understand the logic from computer vision. For example: if I ask you "which of these pictures shows men's best friend?" [avoiding the word "dog"], it would require a natural language engine + a computer vision algorithm + neural network driven decision algorithm. If you have the resources to build something like that, you'll make millions selling it, and won't spend time mining emails for spam :)
Traveling Tech Guy  2009-07-22 09:50:48
A: 

Converting strings to numbers has already been discussed in another question where many references to the google calculator were given, which does a great job in such conversions, so your approach is not suitable for testing whether your user is human.

As for an alternate solution, I can only link to another great answer.

soulmerge  2009-07-22 09:31:03

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases