CAPTCHA validation

[eluser]someone [/eluser]
Hello,

I have created some form for inserting data into database and for checking if the data was sent from human I have used CAPTCHA which is already integrated to CI.

This is my controller:

Code:

$this->load->helper('captcha');
    
    $checkrules = array(
     'img_path' => realpath(APPPATH . '../upload/checking/img') . '/',
     'img_url' => base_url() . 'upload/checking/img/',
     'font_path' => realpath(APPPATH . '../upload/checking/font.ttf'),
     'img_width' => 150,
     'img_height' => 30,
     'expiration' => 7200
    );
    
    $check = create_captcha($checkrules);
    $data['checkimg'] = $check['image'];
          
    $this->form_validation->set_rules('name', 'Name', 'required|max_length[40]|xss_clean');
    $this->form_validation->set_rules('email', 'E-mail', 'required|valid_email|xss_clean');
    $this->form_validation->set_rules('website', 'Website', 'max_length[80]|prep_url|xss_clean');
    $this->form_validation->set_rules('comment', 'Comment', 'required|xss_clean');
    $this->form_validation->set_rules('check', 'Check', 'required|xss_clean');
          
    if ($this->form_validation->run() == FALSE)
    {
     $this->load->view('cms/theme', $data);
    }
    else
    {
     echo "success";
     $this->load->view('cms/theme', $data);
    }

My question now is what's the best way to validate CAPTCHA?
1.) Creating callback, which I have already done, but there was problem because when I send form is error with new CAPTCHA code.

2.) Inserting CAPTCHA's code into database and check from it. Problem is because there will be a lot of loading database and it will be very busy.

And second question. Is this CAPTCHA saving only .jpg pictures in folder or it can be any other format there? (I'm asking this because I want to delete this captcha's after they are used.)

Thanks in advance! :-)

[eluser]InsiteFX[/eluser]
CodeIgniter Users Guide - CAPTCHA Helper

See the Adding a Database section.

[eluser]someone [/eluser]
I'm trying to get this working, but for now it looks every CAPTCHA's code is right also in case if isn't.

What about database load - Everytime when I refresh page there is new insert into database and this is not very good, because this is news system and this captcha is under some article.

Is there any other way to validate CAPTCHA?

[eluser]InsiteFX[/eluser]
After you have verified the Captcha with the database record delete the database record!

I do not like Captcha's and most users do not like filling them in either!

If all you need is to check for bots etc, use two hidden fileds.
1) input email.
2) input url.

Check to make sure that the two fields are left empty.
If either of the two hidden fields get field in then it was a bot etc!

[eluser]someone [/eluser]
Ok.

Do I have to put hidden fields with hidden type or just text fields and then I hide them with div class?

EDIT: Do I have to secure those fields with xss_clean (when setting rules) or something?

[eluser]InsiteFX[/eluser]
1) Open your css stylesheet and add a new style class that suppresses the display of a particular class.
Add more for other form fields like email!

Code:

input.my-url {
    display: none;
}

2) Open your form and add a field named "my_url" near the submit button.

Code:

<input type="text" name="my_url" class="my-url" value="">

3) In your script which validates user input for the Contact form, evaluate the contents of $_POST['my_url']. It should be empty. The stylesheet should have suppressed display to humans, but a spam robot would most likely enter a value.

Code:

if( ! empty($this->input->post('my_url', TRUE)))
{
    // It must be an Will Smith iRobot!
}
else
{
    // The form was submited by a human.
}

You should always use xss_clean in form rules and input post data!