How to compare input field with variable on submit in php?

Question

I have created a random string and using it as captcha but not able to validate. I am very noob in PHP. here I used isset($_POST['submit']) but without a click on submit this form is showing error (variable) (strCaptcha is required). My logic is that on submit click code will compare the value of 'strCaptcha' with $str and show error or run the form.

$error = '';
if (isset($_POST['submit'])){
  if (empty($_POST["strCaptcha"]) || $_POST["strCaptcha"] != $str) {
    $error = "strCaptcha is required";
   }
}
<form method="post" action="<?php echo $action; ?>" >
    <p><label><b>COA Number:</b></label><br>
    <input type="text" name="number" class="text"><br><be>
    <span id="realcap" style="visibility:hidden;"><?php echo implode(' ',str_split($str)); ?></span><be>
    <span style="color:red;"><?php echo $error; ?></span><br>
    <img src="" id="captch" alt="This Is a CAPTCHA Image"><br>
    <label><b>Enter the text of the image above:</b></label><br>
    <input name="strCaptcha" type="text" class="text" value="" maxlength="5"><br><br>
    <input type="submit" class="awesome medium" name="submit" value="Verify Now"></p>
</form>

Added Image

<script src="//cdnjs.cloudflare.com/ajax/libs/html2canvas/0.4.1/html2canvas.min.js"></script>
<script>
  html2canvas(document.getElementById("realcap"), {
    onrendered: function(canvas) {
      var screenshot = canvas.toDataURL("image/png");
      document.getElementById("captch").setAttribute("src", screenshot);
    }
  });
</script>

random string

$n=5; 
function getName($n) { 
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; 
    $randomString = ''; 
    for ($i = 0; $i < $n; $i++) { 
        $index = rand(0, strlen($characters) - 1); 
        $randomString .= $characters[$index]; 
    } 
    return $randomString; 
} 

$str = getName($n);

Answer 1

Your script can be very easy cheated if you are providing the captcha value as plain text in a hidden field on the html.

You have to create the random string and save the value into a session, by doing this the value is not expose to the user and you can use it later for comparison.

Page Code

<?php 
session_start();
$captcha = $_SESSION['captcha'];
$error = '';
if (isset($_POST['submit'])){
  if (empty($_POST["strCaptcha"]) || $_POST["strCaptcha"] != $captcha) {
    $error = "strCaptcha is required";
   }
}
<form method="post" action="<?php echo $action; ?>" >
    <p><label><b>COA Number:</b></label><br>
    <input type="text" name="number" class="text"><br>
    <span style="color:red;"><?php echo $error; ?></span><br>
    <img src="image.php" id="captch" alt="This Is a CAPTCHA Image"><br>
    <label><b>Enter the text of the image above:</b></label><br>
    <input name="strCaptcha" type="text" class="text" value="" maxlength="5"><br><br>
    <input type="submit" class="awesome medium" name="submit" value="Verify Now"></p>
</form>

The image have to be generated on the server side.

Example not tested. image.php

<?php 
$n=5; 
function getName($n) { 
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; 
    $randomString = ''; 
    for ($i = 0; $i < $n; $i++) { 
        $index = rand(0, strlen($characters) - 1); 
        $randomString .= $characters[$index]; 
    } 
    return $randomString; 
} 


$str = getName($n);
session_start();
$_SESSION['captcha'] = $str;

// Generate image using the $str to create the image.
$im = imagecreate(100, 30);

// White background and blue text
$bg = imagecolorallocate($im, 255, 255, 255);
$textcolor = imagecolorallocate($im, 0, 0, 255);

// Write the string at the top left
imagestring($im, 5, 0, 0, $str, $textcolor);

// Output the image
header('Content-type: image/png');

imagepng($im);
imagedestroy($im);