Sunday, February 22, 2009

How to replace the phpBB3 CAPTCHA

One of the best ways to protect your phpBB forum from spam bots is to replace the phpBB CAPTCHA with your own custom CAPTCHA that the bots haven't been trained to read. So, in this post I'm going to explain how to integrate your own image generator.

I won't be explaining how to actually write an image generator--there's plenty of PHP GD tutorials out there that can help you with that.

The way the CAPTCHA works in phpBB3 is that a code for the visitor is generated and stored in the database. The code can be retrieved based on the users session. phpBB3 can be left to handle this without our intereference, all we need to do is generate an image with that code in it.

The code for phpBB3 CAPTCHA image creator is in includes/captcha/captcha_gd.php and this file included just once from includes/ucp/ucp_confirm.php. So we simply need to create a new captcha file to replace the default one. I like to create my mods in their own folder so I created a /mods/captcha.php file.

Your custom captcha code needs to have the follow format:

class captcha {
 function execute($code, $seed)
   * Put your code here to create the $img resource
   * using $code for the code to display
   header('Content-Type: image/png');
   header('Cache-control: no-cache, no-store');

 * Create any other methods you like to generate the CAPTCHA image

The key with this code is that your class must be called captcha and it must have a method called execute() which displays the image. The execute() method must take two parameter, $code and $seed. The $code variable is the string you need to display in your image. The $seed is used by the original phpBB3 captcha class to seed a lot of the random values. You can use the $seed in your own code if you like, or ignore it, but you must accept it as a parameter for the execute() method. You can then write any other methods you might like to generate the image using the PHP GD library.

After you've saved the file:

Find: (hint: should be line 67)
include($phpbb_root_path . 'includes/captcha/captcha_gd.' . $phpEx);
Replace with:
//include($phpbb_root_path . 'includes/captcha/captcha_gd.' . $phpEx);
include($phpbb_root_path . 'mods/captcha.' . $phpEx);

And then you are done.


Anonymous said...

Has anyone considered doing a dynamic (moving) image?

microUgly said...

Like an animated CAPTCHA? That would actually help the spammers since you're proving them multiple versions of the same code in an animation. They could OCR each frame and compare the results to get a better idea of which is correct.

Peter Jaap said...

Thanks for this, helped me a lot!

I used the very customizable open source Securimage PHP class from for this.

For people wanting to implement this; be sure to give the $code to the Securimage class. The function drawWord() retrieves the code to be written from the variable $this->code.

The function createCode() sets this variable; be sure to populate this variable with the one that phpBB gives to the captcha class in upc_confirm.php.

My function eventually looked like this;



class captcha {
function execute($code, $seed)
$img = new Securimage();


Where NULL is the value Securimage() uses if you want to use a custom background image.

Hope this helps!

Post a Comment