freeCap is a GPL CAPTCHA script to stop spam. It was written as a proof-of-concept at a time when there were really no other good PHP captcha scripts around (2005). For a long time I think it’s not untrue to say freeCap was the best PHP CAPTCHA there was.
To be perfectly honest, these days I would recommend you try reCAPTCHA first. freeCap does still do the job perfectly well, but the reCAPTCHA guys can provide better support than I.
Still, freeCap might be the solution for you if you want to be able to have more control over how the CAPTCHA works and is displayed. There are a whole load of tweakable options: multiple GD fonts, colours, backgrounds, obfuscation options etc. And the code is pretty good too if you’re just interested in PHP image processing. Still interested? Read on!
It does require some knowledge of PHP to install, though there are several plugins for forum and blog software listed below.
freeCap also focusses on the security of the implementation. I wrote an article about CAPTCHA implmentation vulnerabilities which was cited by W3. A lot of CAPTCHAs are relatively secure against OCR attacks, but fail to account for other attacks, such as session re-use and the insecurities of shared hosting.
freeCap can output as JPG, PNG or GIF, has brute force protection, is open source and is totally self-contained – no need for SQL databases, PEAR, or anything beyond PHP and GD! I hope you like it :-)
freeCap PHP CAPTCHA Version 1.4.1
-optional sha1 / md5 / crc32 hash in server session
-3 different randomly generated background types: grid, squiggles, image blocks (or blank) – see the demo!
-multiple font/colour support
-htaccess protected dictionary, fonts and backgrounds
-shared server security further enhanced
-user definable text fading
-automatic random number seeding for older PHP versions
At the moment, freeCap does not include installation instructions, but it does come with a simple sample from which you should be able to integrate the CAPTCHA with your PHP enabled website.
Requirements:
PHP 4.01+
GDlib any version (for gif support, any except 1.06)
Runs on both linux and windows platforms.
Known Issues:
You might get E_NOTICE errors – check out the support page for more info, or to report other bugs. I’ll try to help out if I can :-)
Comments/Questions about this PHP CAPTCHA script?
I now have a dedicated page for freeCap support. This is the place to look if you are having trouble installing freeCap. General comments can be made below.
Who Uses freeCap?
See my list of freeCap users, it includes Oxford University, Apple, The Goverment of Nepal and hundreds more.
freeCap Plugins exist for the following software:
mambo/joomla CMS (via this plugin or this Joomla! 1.5 Plugin)
phpBB (via this plugin)
WikkaWiki
Typo3 CMS – now with audio!
bBlog, (via these instructions).
WackoWiki
Open Concepts Bulletin Board
What is a CAPTCHA anyway?
A CAPTCHA is a special image that serves as a guard against comment spam. Automated programs scan millions of websites looking for phrases like “add your comment” and “sign my guestbook”, and try to add spam messages advertising various products to those pages. By asking users to type a word in an image, this type of spam can be prevented – programs cannot read text in images.
Thanks To:
Everyone who uses freeCap, and especially those who link to me.
Also:
sam.zoy.org/pwntcha/
ocr-research.org.ua
for OCR security testing and general CAPTCHA feedback.
Why should I use a CAPTCHA?
Ideally, you shouldn’t. If you’re not being spammed then I would recommend that you don’t put a captcha in place – they are annoying for users and they are generally not accessible to partially sighted users.
If you *are* being spammed then I suggest first of all that you rename all your form variables. That might hold them off for a while, it might possibly stop the spam altogether.
Then, add a hidden field that’s filled in via javascript with a certain value, and check for that value serverside. If it’s not there, the data is either spam or from a non-JS client. You can either drop the data entirely, or save it somewhere for further review. This is the approach I take on a few of my other websites, and it seems to do well – of course it won’t stop a determined attacker, but most spammers are looking for the low hanging fruit only.
To me, the bottom line is that a CAPTCHA is a last resort. It’s an ugly solution to an ugly problem.
Want to join the fight against spam?
Take a look at this spam wiki – some very cool stuff going on there ;)
#1 by gewthen on June 1, 2009 - 10:56 am
Uh… why are there files beginning with a periods. Are you aware that such files have specific meaning in UNIX environments (e.g. settings files mainly) ? Just use a directory to store the images.
#2 by user24 on June 1, 2009 - 10:45 pm
Yes, they’re intentionally named like that. Under apache, any files starting with “.ht” are by default hidden in directory listings and prevented from being accessed via the web – only “.htaccess” and “.htpasswd” are special settings files (perhaps a few others). freecap’s files absolutely will not interfere with the smooth running of the web server.
They’ve been named like that so that attackers cannot download the font files, dictionary and background images. If they were able to do so, it would greater aid any attack on the captcha.
I didn’t just put them in a directory with a .htaccess because not all servers support .htaccess (even apache ones), but most servers (even non-apache ones) hide files starting “.ht”
Hope that explains it.
#3 by brekeke on October 28, 2009 - 2:00 pm
hello, thank you very much for this, I’m going to use it for one of my projects.
#4 by DKL Corporation on September 8, 2009 - 1:56 am
hi all
we like this captch code is u creted
Thanx & Regards,
DKL GROUP OF iNDIA!.
DHARAM MALiYA!
#5 by RS on June 22, 2009 - 9:31 pm
Not mentioned how to use
#6 by wezwanie do zapłaty on January 23, 2012 - 5:45 pm
I think that this method isn’t working any more. I can hardly find any of this cpatcha type. On almost every website there is recaptcha witch is very hard to crack.
#7 by Aleksey on August 2, 2009 - 9:01 am
I will use you’r captcha for phpbb forum. Just wanna say, THANK YOU and GOOD LUCK!
P.S. Funny comments in code =)
#8 by Roger on September 30, 2009 - 9:22 pm
firs of all thanks for the script,
any instructions how to update it from 1.4?
#9 by iren on November 2, 2009 - 7:10 pm
i miss you . . ..
#10 by iren on November 2, 2009 - 7:12 pm
apa harus pake bhs inggris yah ?
#11 by Daniel on November 15, 2009 - 9:54 pm
Hi, I just installed the folder and the image says “service no longer available”, have you cancelled this service or how do I interpret this?
#12 by Daniel on November 16, 2009 - 3:47 pm
noticed this only happens in Internet Explorer 8…
#13 by Rich on November 19, 2009 - 10:47 am
hi there, i’m relatively new to web design and have managed to use cgi script forms but are one of the safest forms to create these captcha forms? or maybe some kind of validation forms where it asks a question, like 5+5=? if you could offer any advice i’d much appreciate it? cheers!
#14 by Kristian Hildebrandt on November 22, 2009 - 5:12 am
I am looking to create my first bot with php+curl, this post was really helpful, thanks a lot.
#15 by nick on December 10, 2009 - 2:49 am
Thanks for your tips, very useful.
I especially like the simplicity of the javascript populated variable and putting those comments/entries somewhere else for analysis. It’s something that I have just done and is working well.
#16 by Robert on December 27, 2009 - 9:03 am
What would you recommend for a small classic ASP solution? I am looking at the tipstricks version – is it still vunerable?
#17 by Squire on December 28, 2009 - 4:41 pm
Seems to me that the link to your list of people that use this script is broken. Just pointin’ it out. Fantastic script.
#18 by Lee on January 29, 2010 - 11:26 pm
Thanks for your insights. I will give recaptcha a go first. Thanks again.
#19 by Rico Chen on August 18, 2010 - 6:06 pm
Hi
I tried the newest version and it works great except I couldn’t find a way to make the words less distorted. Could you give some advices on how to do it? (I know I need to edit the file freecap.php but I haven’t found out which variable(s) or constant(s) to modify)
#20 by Rico Chen on August 19, 2010 - 4:47 am
Never mind I found the answer from the support page. Thanks again for this great script.
#21 by Nicolas Medalla on August 19, 2010 - 10:07 pm
i’m using this script on my website, but when i run the script in localhost, i cannot see the image.
how or what configuration to show the image on the localhost.
#22 by Nicolas Medalla on August 19, 2010 - 10:09 pm
i already use the script and working online, but when i access the srcipt in localhost, i cannot see the image, can you help me solve this problem.
#23 by Alex on November 15, 2010 - 5:49 am
We still use Typo3 4.1.x for some old projects and we need an older version of your captcha that is working with earlyer version. Where can I download it? At the TER is only the newest and that one before.
Tanks a lot!
#24 by güncel blog on February 4, 2011 - 9:13 am
vvery good,thanks
#25 by driver indir on February 4, 2011 - 9:15 am
tanhks
#26 by jen on March 24, 2011 - 5:47 am
Sorry, my last two notices are wrong. After freeCap start works stable with MODx I’ve returned values to ord($c_wid{8}) … ord($c_wid{11}) and deleted $y_pos declaration, and parser still silent
#27 by steph on March 31, 2011 - 12:21 pm
Hi ,
the script works perfectly online but not in localhost.
And i don’t found an answer.
Thanks
#28 by jen on March 31, 2011 - 1:37 pm
steph, probably you already have PHP 5.3 in your local server. In this case you should find the next string in freecap.php:
$word = ereg_replace(“[^a-z]“,””,$word);
and replace it with
$word = preg_replace(“/[^a-z]/”,””,$word);
Perhaps this will solve your problem.
Something wrong with comments processing here. My first comment (after #24) was missed and due to this fact the next one (#25 actually) become useless. #26 and #27 are duplicated.
#29 by Stuart on April 6, 2011 - 11:58 am
Just wanted to say thanks, i’m gonna have a go at implementing this on my site, been having awful trouble with spam recently
#30 by John Campbell on June 24, 2011 - 11:23 am
You ask Why should I use a CAPTCHA?. Unfortunately I don’t really think we have any choice these days. Robots and harvesting engines are totally indiscriminate and as they journey around the web they will seek to leave their mark wherever they can. It is simply a fact of life.
#31 by Emanuele on June 28, 2011 - 11:04 pm
There is a fantastic solution, just don’t use CAPTCHAs
http://keypic.com
#32 by NickG on September 8, 2011 - 9:54 am
Yours is a solution that I use across multiple websites now. I don’t like capcha’s, but they do seem to be a necessity to stop robots, etc. at a basic level. Having read your “Why should I use a CAPTCHA?” I may actually try turning off the captcha for a while and implementing your ideas to see what happens…
#33 by Abner on September 14, 2011 - 1:30 am
I came across your web site, i believe your blog is awsome, keep writing.
#34 by pakyoungers on September 27, 2011 - 1:54 pm
Can I reduce the size of image?
#35 by Pynk Nymphette on February 3, 2012 - 3:39 am
I am giving this a try right now. My knowledge of PHP is not the best, but I’m making progress. I want to make sure the evil internet robots don’t spam up my site. Thanks for this great tool.
#36 by daduvova on June 4, 2012 - 9:33 am
[url=http://ourtelangana.com/content/viagra-fast-delivery-no-doctors]viagra alternatives lateraled [/url]
[url=http://lifeinroughedge.com/content/overnight-amitriptyline-order]Amitriptyline bay CAUCE [/url]
[url=http://ourtelangana.com/content/soma-overnight-cod]buy soma online next day delivery welcoming [/url]
[url=http://abcpreachers.ning.com/profile/deraste4w]Acyclovir Online[/url]
[url=http://ourtelangana.com/content/overnight-tramadol-cod]overnight vets dogs tramadol force [/url]
[url=http://charlolatino.com/content/prednisone-buy-online-no-script]Prednisone without prescription Eugenia [/url]
[url=http://americanwoodworker.com/blogs/etetewas/archive/2012/05/31/100-mg-tramadol.aspx]extended release tramadol abuse of boards [/url]
[url=http://www.thingsthathurt.com/node/1129]buy online ultram without prescription pi;kju [/url]
[url=http://americanwoodworker.com/blogs/etetewas/archive/2012/05/31/cialis-overnight-no-consult.aspx]cialis generic canada states [/url]
[url=http://abcpreachers.ning.com/profile/berlaneed]Trazodone overnight delivery only Lindbergh [/url]
[url=http://lifeinroughedge.com/content/50-hcl-mg-tab-tramadol]50 hcl tramadol ultram 50mg disconnect [/url]
[url=http://www.youngpeoplefor.org/notices/123806]Amitriptyline overnight delivery stand [/url]
[url=http://www.youngpeoplefor.org/notices/123807]buy Doxycycline now Large [/url]
[url=http://www.englishbaby.com/findfriends/gallery/detail/1671954]tramadol otc xrvargwoodward [/url]