0

I am running PHP scripts which generates captcha code in this way.

<img src="http://examle.com/captcha_code_file.php?rand=1846368456" name="6_letters_code" id="captchaimg">

I am using this code to grab rand value:

var src = a.src;
var match = src.match(/rand=(\d+)$/);
var rand = match.length > 1 ? match[1] : null;

I am having problem to compere this value 1846368456 with letters on my screen for Example AY231X. In other words these two values do not match. So is it possible to compere user inputs in form with rand value with JavaScript

Improve this question
6
  • want javascript to generate the same captcha by using a random generator? Commented Aug 26, 2014 at 18:07
  • Not sure what you're asking. Are you wondering how to compare a value in Javascript? Post some more code please. Commented Aug 26, 2014 at 18:11
  • 2
    WHY would you validate captcha via JavaScript? It makes it possible for someone to bypass captcha. Commented Aug 26, 2014 at 18:16
  • 1
    @webnoob, JS runs fine for bots, avoid confusion with search engine spiders/bots Commented Aug 26, 2014 at 18:34
  • 1
    Ah yes, I was confusing them! Good point. Commented Aug 26, 2014 at 18:44

1 Answer 1

Reset to default
2

Basicly, if you show your captcha image captcha_code_file.php, you generate a code to display.

Save this Code in the User Session. If your Form is sended, you check, if the captcha code is in the session.

The rand=1846368456 parameter, is only to ensure, that you see the latest generated picture, and not some cached one.

How to check the code from JS?

You can provide an checkCaptcha.php, which basicly do the lookup in the session, and echo true or false. Before sending your Form, you can do an Ajax call to it.

checkCaptcha.php?code=foobar

$code = isset($_GET['code']) ? $_GET['code'] : '';
$sessionCode = isset($_SESSION['captchacode']) : $_SESSION['captchacode'] : '';
if (empty($code) || $code !== $sessionCode) {
    die('FALSE');
}
die ('TRUE');

Ajax:

var captchacode = 'foobar'; //Read from Input
$.get("checkCaptcha.php?code=" + captchacode, function( data ) {
    if (data == 'FALSE') {
        alert('Error with Captcha');
    }
});

On Form submit, you should clear the "used" captcha code.

Whats about Security?

We always check Captcha Code on Server side. This ajax is only for User Experience.

I don't think this solution provides a security hole.

It is more easy to do single Post:

$success = false

while(!$sucess) {
    $code = tryReadCode();
    $result = attackPageViaPost($code);
    $success = str_pos('Congrats, you successfuly entered the captcha', $result) !== false;
}

then

$success = false

while(!$sucess) {
    $code = tryReadCode();
    $success = getAjaxResult($code);
}

attackPageViaPost($code)
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

yes but can i check captcha code before sending, by JavaScript?
@ZeljkoKovacevic that is a bad idea. Captchas are usually used to prevent bots. If you provide a way for the bot to check the captcha on the client side (Javascript) people are going to find ways past it.
Yes i validate captcha code by PHP, but guy told me made also JS validation
Let us continue this discussion in chat.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.