Implementing CAPTCHA spam protection in PHP

Those people privileged enough to have websites with fancy (or non-fancy) forms on them will probably be all too aware of the evil spambots that come along and auto-fill them in with commercial nonsense, inane content or on occasions just blanks and hit the submit button. Depending on what the form does this tends to mean you'll get 1000 advertisement emails, a database full of rubbish or a few thousands complaints at spam. The Poorhouse has already discussed a few ways of dealing with the problem but another common one is illustrated here.

(Thanks via Gemma)

The point here being to distinguish between a human and a spam bot. Tests like these are known as CAPTCHAs - CAPTCHA standing for "Completely Automated Public Turing test to tell Computers and Humans Apart". Sadly there are instances where companies pay some poor exploited people pennies to manually go add spam on your lovely website which this won't help with so much, but most often it's probably an automated script.

The maths question you currently get before posting comments on this site is an example of a CAPTCHA - albeit a rather easy to break one. Most spambots however do not know how to break it it would seem yet so it's staying for now, it being generally more nice and accessible that many other implementations. A more common implementation is the classic "Please type these letters below" situation where you are presented with a picture of some letters skewed and twisted up a little with strange backgrounds. The form will only let you submit it if you accurately transcribe them into a text box. This is a good way of telling humans and computers apart as it is relatively hard (at present) for a computer to analyse a deliberately messed around image and come out with the correct text.

But how to implement them? Many forums, content management systems et al. come with this facility built in. If however you already have a site you can easily do one yourself using whatever scripting language you might have handy. Here we will see it done in PHP. To do it in such a fashion as part of your PHP scripting skills you likely would need knowledge about processing forms, creating images programmatically and PHP sessions. Not rocket science, but to follow the eternal Poorhouse maxim, why put yourself to hard work when someone has already created a free and easy solution?

Enter Ed Eliot's Visual and Audio PHP CAPTCHA Generation Class. It provides a nice easy customisable class to allow you to generate images of text (and also audio files for those who are after greater accessibility) and check if the input the user/bot puts into your form did indeed match the generated CAPTCHA. To run it your server should have PHP4 complete with the GD and FreeType support. That seems to be fairly standard, but if you don't know whether this means or whether you do then ask your webhost or use the phpinfo() function to see for yourself.

Assuming you can muster up the above requirements, the first thing to do is download the zip file of source code from the main class page and put the file it contains ("") onto your webserver. You should also ensure a truetype font is present in the directory - the Poorhouse has used the freely available font Dustimo Sans before

You then need to create the image that will be displayed to the user on your form. Clearly this image has to change what letters it displays each time it's used so rather than a boring old jpg it is to be a php file. Start a new text file and call it "visual-captcha.php". This is the file that you configure what you want your image to look like. A simple example using the Dustimo Sans font would be:

$aFonts = array('dustismo_sans.ttf');
$oVisualCaptcha = new PhpCaptcha($aFonts, 200, 60);

This example will end up giving you an image like:

Then somewhere on the form you wish to protect, you should add the following img tag to show the image.

<img src="visual-captcha.php" width="200" height="60" alt="Visual CAPTCHA" />

...and a textbox with a name like "user_code" for the user to enter the text they see for checking.

<label for="textfield">Please enter the text you see into this box:</label>
                        <input type="text" name="user_code" id="user_code">

That's your form completed!

The other part of the operation of course is to check on whichever page receives and processes the input of your form (this may of course be the same page that the form is on) that the user entered the correct text. It's as simple as this:

if (
PhpCaptcha::Validate($_POST['user_code'])) {

// Captcha code was correct - process your form as per usual

} else {

// Captcha code was wrong - do not process the form


That wasn't too troublesome now was it? If you want to go more advanced and customise how the CAPTCHA graphic looks, or introduce audio captchas, again see Ed Eliot's site.



I think this is great solve for spam... But can we import this to wp?

Hi, wp as in Wordpress?


wp as in Wordpress? I've never used wordpress myself but no doubt one could integrate it. Unless there's anything wrong with them though I see that there are existing captcha solutions for Wordpress here you might like to have a look at first in the interests of saving yourself development time.

About your captcha


Your captcha is vulnerable. You need to use more secure protection.

This captcha will be in my Month of Bugs in Captchas:

Hi, Thanks for the info. Do


Thanks for the info. Do you mean the CAPTCHA this page describes, or the one actually in use on this site? I have to say that now and then the odd bit of spam gets through both the CAPTCHA and the spam filter, but it's several orders of magnitudes less than before I started using them so I tend to live with it. If you've got any particular advice though on how I should fix it I would be most interested to hear it. FWIW the reason I use a relatively-insecure maths CAPTCHA here though is to ensure the site is accessible to those using screen readers, poor eyesight and so on. Is there a better method you would recommend that doesn't lose accessibility?


did anything ever come of

did anything ever come of this? was your captcha "hacked to death"??
what a wanker. you do get some off visitors here don't you?

I wouldn't say "hacked to

I wouldn't say "hacked to death" to be honest. A few evil spambots / low paid poor foreigner workers get through here and there but really about a handful a month as a rule - even though it is a notoriously insecure captcha (the maths thing that is). I'd love the original commenter to give me some help / advice how to cure as requested but not heard anything back yet. Amazingly thepoorhouse still remain the lively centre heartbeat of the known webosphere, as you can see!

Really? I'd love to see the

Really? I'd love to see the original commenter doing something more productive with this time...

not that i'm particularly productive myself but i don't go arond imposing my boredom on others for the most part.

Well that would be even

Well that would be even nicer some might say, but I'm exercising xmas charity it would seem :-) x

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <del>
  • Lines and paragraphs break automatically.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You may use [acidfree:xx] tags to display acidfree videos or images inline.
  • Images can be added to this post.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
2 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.