« File uploading with PHPPut watermark on images using PHP »

Captcha image verification Posted in PHP Tutorials | 232 Comments
A good way to avoid automatic form submissions when creating a web form is to add some kind of verification. One of the best ways is to use an image verification, called also captcha. What it does is to dynamically create an image with a random string displayed on it. Then visitor is asked to type that string in a text field and once the form is submitted it checks if the string on the image matches the one inputted by the user. Because there is no easy way to read a text from an image (image recognition) this is a good way to protect your web forms from spammers.
For doing this CAPTCHA I would suggest using a session variable where you store the string generated and displayed on that dynamically generated image.

$text = rand(10000,99999);
$_SESSION["vercode"] = $text;
$height = 25;
$width = 65;

$image_p = imagecreate($width, $height);
$black = imagecolorallocate($image_p, 0, 0, 0);
$white = imagecolorallocate($image_p, 255, 255, 255);
$font_size = 14;

imagestring($image_p, $font_size, 5, 5, $text, $white);
imagejpeg($image_p, null, 80);

Save this code in a file called captcha.php. What this script does is to generate a random number from 10000 to 99999 and then assign it to $_SESSION['vercode']. Then it generates a 25x65 pixels image with black background and white text using size 14. So if you upload that captcha.php file on your web site and open http://www.site.com/captcha.php you will see an image displaying random integer. You will receive a new random integer every time you refresh that page.

Next we need to create our web form.

<form action="submit.php" method="post"> 
Comment: <textarea name="coment"></textarea><br>
Enter Code <img src="captcha.php"><input type="text" name="vercode" /><br>
<input type="submit" name="Submit" value="Submit" />

Above code will create a form with a single textarea box, randomly generated image using the captcha.php script and a text field where you will have to enter the verification code.

All we have to do now is to make the submit.php script which will check if the verification code you enter matches the one that has been randomly generated.

if ($_POST["vercode"] != $_SESSION["vercode"] OR $_SESSION["vercode"]=='') {
echo '<strong>Incorrect verification code.</strong><br>';
} else {
// add form data processing code here
echo '<strong>Verification successful.</strong><br>';

Do you know PHP / HTML / CSS / JS well?

Write tutorial on a topic you are good in and become a trusted PHP jabber! Share your experience with millions of other webmasters visiting our website. Contact us for more information how to become a contributor.

232 Replies to "Captcha image verification"

Elaine April 24, 2008 at 2:41 pm | Reply


This code works great, but one thing i would like it to do if anyone can tell me how to do this, i would like the error message to display next to the verification box instead of at the top of the page , is that possible?
Veselin: you need to have your form on PHP based web page and the verification to be on top of it and then print the error message where your box is. For a small fee we can make your contact form on PHP page and also make the message display next to the captcha box. Email us if you are interested.
qleyo April 18, 2008 at 2:33 pm | Reply


works perfectly! thanks a lot!
Hugh Brecher April 4, 2008 at 11:31 am | Reply


I would like to use the Captcha.php validation script for one of my forms. The form is here:

How much will you charge to do this for me and send me the
completed revised form by email attachment?

I would like it to show up very much the way that THIS form does.

Thanks, Hugh
can you send me a message that you receive when the form is submitted. It usually costs about $35 to add a captcha script and make the form on PHP page.
jon porter March 29, 2008 at 8:03 pm | Reply


OMG, thank you guys so much! I was working FOREVER to find a captcha script that was easy enough and was not impossible to read. THX!
Marian March 25, 2008 at 3:19 am | Reply


For igor (about session_start() [function.session-start]: error)

if (!preg_match("/^[0-9a-z]*$/i", session_id())) {
$error->handleError("WARN", "your ssid is expired");

// just try it.
Chafucosoft February 22, 2008 at 1:52 pm | Reply


great just what i was looking for !!! :D
igor February 20, 2008 at 12:34 am | Reply


otherwise it still works, but it gives me that message...
igor February 20, 2008 at 12:33 am | Reply


this is the error message that i'm getting for this line:


Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /web/sites/grinder/cornetta.com/captest/feedout.php:2) in /web/sites/grinder/cornetta.com/captest/feedout.php on line 3
Severo February 4, 2008 at 7:49 am | Reply


Try to make it larger and easier to read, and shorter.
li January 15, 2008 at 11:31 am | Reply


i think that code is really simple and very good,
i have implemented it on my site and it works.
the only thing i would like to do to reach perfection
is to be able to get the \"incorrect security code\" on the same page
of the form. like in your page .
it just add a red line above the text box.

please tell us how to do it.

Please be polite and helpful and do not spam or offend others. We promise you will be treated the same way.

Log in your free account or if you still haven't joined you can create your free account now.

Posting tip:
if you use code in your comments please put it in these tags [php], [sql], [css], [js]
PHP code example: [php] echo date("Y-m-d"); [/php]

Thank you,
~ PHPJabbers team ~