NYCPHP Meetup

[Dan Cech]

Chris Shiflett wrote:
> Before anyone notes my hypocrisy, my blog requires people to indicate my
> first name in order to post a comment, and although I might adopt a
> better approach, at least this approach is accessible.

A simple, extensible and accessible continuation of this approach might
be implemented as follows:

Create a table with 4 columns:

challenge_id
questions
answer_match
times_used

This table would contain a list of questions, along with a preg_match
pattern for acceptable answers, and a count of how many times the
question has been used.

Select one of the x (a number greater than the maximum new challenges
added at any one time) least-used questions from the table at random and
present it to the user along with a text box for their answer.  Store
the challenge_id in the session.

When the form is submitted, check the answer against the regex and allow
or deny access as required.

Optionally, you could store the number of failed attempts and eliminate
questions which yield too many failures.  This would automatically
remove questions that are either too difficult for the average user, or
are getting hammered by spammers.

In this way it would be trivial to add new or more difficult challenges,
and if someone is hammering on the form they will continually get new
questions from the pool.

I haven't needed to implement this myself, but it does seem like
question/answer based challenges are a good approach.  This is mostly
because they don't suffer from the class breaks inherent in most
image-based captcha systems (once you crack the captcha algorithm you
can solve any captcha using that system), assuming you take the time to
add some questions which are unique to the individual instance of the
system.  And of course, they are fully accessible.

Dan