freeCap is a GPL CAPTCHA script to stop spam. It was written as a proof-of-concept at a time when there were really no other good PHP captcha scripts around (2005). For a long time I think it’s not untrue to say freeCap was the best PHP CAPTCHA there was.
To be perfectly honest, these days I would recommend you try reCAPTCHA first. freeCap does still do the job perfectly well, but the reCAPTCHA guys can provide better support than I.
Still, freeCap might be the solution for you if you want to be able to have more control over how the CAPTCHA works and is displayed. There are a whole load of tweakable options: multiple GD fonts, colours, backgrounds, obfuscation options etc. And the code is pretty good too if you’re just interested in PHP image processing. Still interested? Read on!
It does require some knowledge of PHP to install, though there are several plugins for forum and blog software listed below.
freeCap also focusses on the security of the implementation. I wrote an article about CAPTCHA implmentation vulnerabilities which was cited by W3. A lot of CAPTCHAs are relatively secure against OCR attacks, but fail to account for other attacks, such as session re-use and the insecurities of shared hosting.
freeCap can output as JPG, PNG or GIF, has brute force protection, is open source and is totally self-contained – no need for SQL databases, PEAR, or anything beyond PHP and GD! I hope you like it :-)
freeCap PHP CAPTCHA Version 1.4.1
-optional sha1 / md5 / crc32 hash in server session
-3 different randomly generated background types: grid, squiggles, image blocks (or blank) – see the demo!
-multiple font/colour support
-htaccess protected dictionary, fonts and backgrounds
-shared server security further enhanced
-user definable text fading
-automatic random number seeding for older PHP versions
At the moment, freeCap does not include installation instructions, but it does come with a simple sample from which you should be able to integrate the CAPTCHA with your PHP enabled website.
Requirements:
PHP 4.01+
GDlib any version (for gif support, any except 1.06)
Runs on both linux and windows platforms.
Known Issues:
You might get E_NOTICE errors – check out the support page for more info, or to report other bugs. I’ll try to help out if I can :-)
Comments/Questions about this PHP CAPTCHA script?
I now have a dedicated page for freeCap support. This is the place to look if you are having trouble installing freeCap. General comments can be made below.
Who Uses freeCap?
See my list of freeCap users, it includes Oxford University, Apple, The Goverment of Nepal and hundreds more.
freeCap Plugins exist for the following software:
mambo/joomla CMS (via this plugin or this Joomla! 1.5 Plugin)
phpBB (via this plugin)
WikkaWiki
Typo3 CMS – now with audio!
bBlog, (via these instructions).
WackoWiki
Open Concepts Bulletin Board
What is a CAPTCHA anyway?
A CAPTCHA is a special image that serves as a guard against comment spam. Automated programs scan millions of websites looking for phrases like “add your comment” and “sign my guestbook”, and try to add spam messages advertising various products to those pages. By asking users to type a word in an image, this type of spam can be prevented – programs cannot read text in images.
Thanks To:
Everyone who uses freeCap, and especially those who link to me.
Also:
sam.zoy.org/pwntcha/
ocr-research.org.ua
for OCR security testing and general CAPTCHA feedback.
Why should I use a CAPTCHA?
Ideally, you shouldn’t. If you’re not being spammed then I would recommend that you don’t put a captcha in place – they are annoying for users and they are generally not accessible to partially sighted users.
If you *are* being spammed then I suggest first of all that you rename all your form variables. That might hold them off for a while, it might possibly stop the spam altogether.
Then, add a hidden field that’s filled in via javascript with a certain value, and check for that value serverside. If it’s not there, the data is either spam or from a non-JS client. You can either drop the data entirely, or save it somewhere for further review. This is the approach I take on a few of my other websites, and it seems to do well – of course it won’t stop a determined attacker, but most spammers are looking for the low hanging fruit only.
To me, the bottom line is that a CAPTCHA is a last resort. It’s an ugly solution to an ugly problem.
Want to join the fight against spam?
Take a look at this spam wiki – some very cool stuff going on there ;)
#1 by gewthen on June 1, 2009 - 10:56 AM
Uh… why are there files beginning with a periods. Are you aware that such files have specific meaning in UNIX environments (e.g. settings files mainly) ? Just use a directory to store the images.
#2 by user24 on June 1, 2009 - 10:45 PM
Yes, they’re intentionally named like that. Under apache, any files starting with “.ht” are by default hidden in directory listings and prevented from being accessed via the web – only “.htaccess” and “.htpasswd” are special settings files (perhaps a few others). freecap’s files absolutely will not interfere with the smooth running of the web server.
They’ve been named like that so that attackers cannot download the font files, dictionary and background images. If they were able to do so, it would greater aid any attack on the captcha.
I didn’t just put them in a directory with a .htaccess because not all servers support .htaccess (even apache ones), but most servers (even non-apache ones) hide files starting “.ht”
Hope that explains it.
#3 by brekeke on October 28, 2009 - 2:00 PM
hello, thank you very much for this, I’m going to use it for one of my projects.
#4 by DKL Corporation on September 8, 2009 - 1:56 AM
hi all
we like this captch code is u creted
Thanx & Regards,
DKL GROUP OF iNDIA!.
DHARAM MALiYA!
#5 by RS on June 22, 2009 - 9:31 PM
Not mentioned how to use
#6 by Aleksey on August 2, 2009 - 9:01 AM
I will use you’r captcha for phpbb forum. Just wanna say, THANK YOU and GOOD LUCK!
P.S. Funny comments in code =)
#7 by Roger on September 30, 2009 - 9:22 PM
firs of all thanks for the script,
any instructions how to update it from 1.4?
#8 by iren on November 2, 2009 - 7:10 PM
i miss you . . ..
#9 by iren on November 2, 2009 - 7:12 PM
apa harus pake bhs inggris yah ?
#10 by Daniel on November 15, 2009 - 9:54 PM
Hi, I just installed the folder and the image says “service no longer available”, have you cancelled this service or how do I interpret this?
#11 by Daniel on November 16, 2009 - 3:47 PM
noticed this only happens in Internet Explorer 8…
#12 by Rich on November 19, 2009 - 10:47 AM
hi there, i’m relatively new to web design and have managed to use cgi script forms but are one of the safest forms to create these captcha forms? or maybe some kind of validation forms where it asks a question, like 5+5=? if you could offer any advice i’d much appreciate it? cheers!
#13 by Kristian Hildebrandt on November 22, 2009 - 5:12 AM
I am looking to create my first bot with php+curl, this post was really helpful, thanks a lot.
#14 by nick on December 10, 2009 - 2:49 AM
Thanks for your tips, very useful.
I especially like the simplicity of the javascript populated variable and putting those comments/entries somewhere else for analysis. It’s something that I have just done and is working well.
#15 by Robert on December 27, 2009 - 9:03 AM
What would you recommend for a small classic ASP solution? I am looking at the tipstricks version – is it still vunerable?
#16 by Squire on December 28, 2009 - 4:41 PM
Seems to me that the link to your list of people that use this script is broken. Just pointin’ it out. Fantastic script.
#17 by Lee on January 29, 2010 - 11:26 PM
Thanks for your insights. I will give recaptcha a go first. Thanks again.
#18 by sundar k on May 13, 2010 - 7:37 AM
request from captcha porject
#19 by prashanth on May 21, 2010 - 11:32 PM
I want to captcha breaking
#20 by Rico Chen on August 18, 2010 - 6:06 PM
Hi
I tried the newest version and it works great except I couldn’t find a way to make the words less distorted. Could you give some advices on how to do it? (I know I need to edit the file freecap.php but I haven’t found out which variable(s) or constant(s) to modify)
#21 by Rico Chen on August 19, 2010 - 4:47 AM
Never mind I found the answer from the support page. Thanks again for this great script.
#22 by Nicolas Medalla on August 19, 2010 - 10:07 PM
i’m using this script on my website, but when i run the script in localhost, i cannot see the image.
how or what configuration to show the image on the localhost.
#23 by Nicolas Medalla on August 19, 2010 - 10:09 PM
i already use the script and working online, but when i access the srcipt in localhost, i cannot see the image, can you help me solve this problem.