Botsafe Captcha for PHP form verification

Question

Is this captcha type botsafe for a PHP form?

<?php 
session_start(); 
$text = rand(10000,99999); 
$_SESSION["vercode"] = $text; 
$height = 25; 
$width = 53; 

$image_p = imagecreate($width, $height); 
$black = imagecolorallocate($image_p, 0, 0, 0); 
$white = imagecolorallocate($image_p, 255, 255, 255); 
$font_size = 50; 

imagestring($image_p, $font_size, 5, 5, $text, $white); 
imagejpeg($image_p, null, 80); 
?>

and then I let it run through an IF statement that is connected to a form this way.

$verify = $_POST['verification'];
if ($verify === $_SESSION['vercode'])

Answer 1

Almost any custom made CAPTCHA is safe against bots, simply because no bot maker ever put time into cracking it. So if you have a few simple sites, you will be safe with something like this.

If you plan on making a plugin or using it on a site where it would be profitable for a bot maker to solve the captcha, than it wont be safe. because the text will be easily reversable to the actual code.

But then again, if you make something yourself for a simple site, you can be a lot more creative and make something no user even knows is there and thus wont be annoyed by it.

Perhaps creating a textfield in the form and then position it outside the viewport. No user will fill this field, but a bot processing the form will. So you can simply check on the server side if the field has a value. If it does, its a bot.

Also if you make something yourself. Dont give it an easy to understand name like 'CAPTCHA' but use something that could be an actual field. Then there wont be any automated attempt to bypass it either.

Answer 2

Is this captcha type botsafe for a PHP form?

Absolutely not. Your code creates an image with a black background and white text, all in the same font and style. There is nothing that makes the text hard to read by bots.

To make it bot-proof you would need to distort the text and preferably vary the color. Also it helps if you add some background noise to prevent the bot from easily determining the characters. Instead of going to the trouble of coding your own, you can use something like reCaptcha that already addresses all of these issues.

Example of your image:

Answer 3

It is hard to say it will be bot-safe. You are creating a simple string and show it in the picture.

That means if the "hacker" will use a OCR mechanism they could easily read the text in the image. So the text itself should be unreadable by OCR (Could be solved by adding blurring, distortion or lines through the text for example)

I think you should look at popular libraries like re-captcha and the information they provide here: http://www.google.com/recaptcha/learnmore