PHP Life

Some forums, guest books and services expect you to enter chars/digits security code drawn on image nearby (known as CAPTCHA code - Completely Automated Public Turning test to tell Computers and Humans Apart). The aim is to ensure the message is typed by human being but not a spam robot. How this implemented physically?

Algorithm is following:

1. Page serving message posts generates random char/digits code.
2. The page contains an image that actually is a script. The last one need to know some way the random code generated by mother page to show code as an image.

I see two ways to move the code to script displaying image:

1. Using cookies. When the code generated, script writes it to user’s cookies in encrypted form. So, the generator script and image script need to know a secret word to encrypt/decrypt security code. Password must be stored in configuration file and be available for both scripts. Why to encrypt? Is it enough to base64_encode? The information is not secret in fact. The aim is to ensure the human being. I think that is enough just to close security code from plain transfer. But in other hand, anybody can write the script that decodes base64 automatically.
2. The same as above but code transferred to the image script as a regular GET parameter. I think it is better than using cookies. I think it’s a right way. Security code is encrypted, cookies not used. Great!

As I see how other people implemented this feature, they also encrypt the security code and use GET parameters. I think the second way is better if so many people use it.

Found a good PHP class to implement CAPTHA: PEAR::Text_CAPTCHA