12-25-2006, 08:07 PM
I was thinking the other day and just for the sake of not using sessions I was thinking you could md5() your captcha value and put it in a hidden form field, then md5() the user input and compare it. This would work no? I just wanted to make sure I wasnt over looking some easy way to get the captcha value.
12-25-2006, 08:29 PM
If this is just a straight md5 of the secret value, this would not be secure as you could just send back your own md5'ed value in the hidden field variable that matches the entered value.
However, if the secret value and the entered value are both "salted" by prepending or appending a nonsense string before performing the md5, then if the hidden field variable were replaced with a straight md5, it would not match the md5 of the entered value with the "salt" string applied.
12-25-2006, 10:09 PM
Ah. I knew I was forgetting something with the hidden form field. Thanks for your help that should work.