Re: Stop Form Hurling

Randomly generate a list of letters and numbers. For an example, have a look at http://www.icthus.net/CGI-City/tut_random2.shtml. You can modify it like this:

@array = (0..9,a..z,A..Z);
srand;
foreach (1..5) 
{    
    $rand = int(rand scalar(@array));    
    push (@selected, $rand);
}
[download]

I suppose you already have the necessary alphanumeric set of image files. Just use the @selected array to incorporate the images to your document, like this:

for ($i; $i<5; $i++)
{
    print "<img src='image_dir/$selected[$i].jpg' border=0>";
}
[download]

Then make a variable out of @selected to check it once the form has been submitted:

$check_var = "@selected";
[download]

Pass it on to the cgi script that will do the checking and you're done.

I hope this helps as the only thing I've been doing around here is ask questions. ;-)

Comment on Re: Stop Form Hurling Select or Download Code

Replies are listed 'Best First'.
Re^2: Stop Form Hurling by simonm (Vicar) on Nov 06, 2004 at 05:52 UTC
Then make a variable out of @selected to check it once the form has been submitted: ... Pass it on to the cgi script that will do the checking and you're done. Unfortunately, this solution is not very secure. An automated script could easily figure out what to send back by looking at the image URLs, or could simply send a different value for check_var that matches their input. Instead of trying to code this from scratch, take a look at the existing "Captcha" implementations.	[reply]
Re^3: Stop Form Hurling by emav (Pilgrim) on Nov 06, 2004 at 06:15 UTC
Yeah, I know about that. I took one more step to circumvent this security flaw. I randomly renamed the alphanumeric images and I keep a list of correspondences between these random names and the actual values of the letters somewhere on my site. So, actually, what a robot would see in the image URLs is various names of Greek cities (e.g. "athens", "thessaloniki", etc. -- hey! I'm Greek after all ;-). Then, the cgi script reverses the process and checks the password. I suppose bots are not that clever to figure out what's going on.	[reply]
Re^4: Stop Form Hurling by simonm (Vicar) on Nov 06, 2004 at 06:30 UTC
But if you're passing the value to check against as a query parameter, what's to stop a malicious user from manually finding one match, and then re-submitting those parameters to your site in thousands of future requests?	[reply]
Re^5: Stop Form Hurling by emav (Pilgrim) on Nov 06, 2004 at 07:18 UTC
Re^6: Stop Form Hurling by simonm (Vicar) on Nov 06, 2004 at 17:17 UTC
Some notes below your chosen depth have not been shown here