phpguru.org

Access your SSH accounts
with Windows Explorer...

TextualNumber

Ok ok, absolutely pants name, but hey, I'm a programmer not a marketing drone. Thankfully. Hmm. So. What is it? A class (PHP5 only kids) which converts numbers to words. Funky huh? And useful for what exactly? Well, how about preventing blog spam? Allow me to elaborate...

Ever since I read an article on the PEAR package Text_CAPTCHA, I've been thinking about potential methods for protecting forms from automated submissions. An example of where you wouldn't want this is the current problem of blog comment spam. Now, Text_CAPTCHA is a fine method for doing this, however when your website starts picking up traffic wise, then the extra load of dynamically generating an image for every form submission could become a problem.

There are, of course, ways around this. One possibililty is the use of a script to pregenerate a number of images and store them on disk, ready for use. This you could do either on a rolling basis, so that new images are continually being created as old ones are used up. Or you can generate a fixed, large amount of images and use them at random. The latter is more efficient, load wise, however you need to generate a lot of images to prevent brute force style attacks.

Still, not a particularly great solution IMO. There are other options. Figlet for example. This is a program for generating ASCII art style text, from normal ASCII text input. See:

shell> figlet php
       _           
 _ __ | |__  _ __  
| '_ \| '_ \| '_ \ 
| |_) | | | | |_) |
| .__/|_| |_| .__/ 
|_|         |_|

Very cute huh?

Now this would be perfect for preventing spammers and their automated scourge, as it would be very hard for a computer to interpret the output, especially when you factor in the various fonts available for the output. It would go a little something like this:

• Generate a random number.
• Store it in the session.
• Run the number through figlet (eg. $output = shell_exec("/usr/local/bin/figlet $num")).
• Print your form, along with an input which the user can use to type the number into. Don't forget to use <pre> tags around the figlet output, otherwise it won't just be robots which can't decipher it.
• When validating the form input, match the input from the form against the number stored in the session. If they match, fantastic, if not, re-display the form.

However (naturally...), I am unable to find a figlet library (libfig? :) ) which would be necessary to create a PHP extension (my C leaves a lot to be desired so creating one is, uh, not an option). Of course you don't need a PHP extension to be able to use figlet - you could quite conceivably use shell_exec() to run the figlet binary and capture the output, as above. Thing is, this forking of a new process will eventually cause performance issues on high traffic sites, just as dynamically generating CAPTCHA images would (though probably to a lesser extent).

So now we come to the purpose of this article. TextualNumbers. By using this library to convert a random number to its textual representation, you have another method of protecting yourself against automated form submissions. The process goes very much the same as above with figlet:

• Generate a random number.
• Store it in the session.
• Generate the textual representation using $text = TextualNumber::GetText($num). Alternatively you can use the Get() method, which generates a number for you and returns an array of the number and the text.
• Print your form, along with an input which the user can use to type the number into.
• When validating the form input, match the input from the form against the number stored in the session. If they match, fantastic, if not, re-display the form.

Example:

Obviously a little basic, but you get the general gist. If you want to see some sample output, try here. The advantage with this method is that no external program needs to be used, and no image needs to be generated, so it's fast. However it's not infallible. If you have a determined attacker, then it is entirely possible for them to reverse the process and convert the number back, however it's unlikely. Even so, you could use an obsfuscation technique to try and further prevent auto recognition:

• Double spacing of letters
• Insertion of newlines
• Random insertion of <span> tags with visibility and display CSS attributes set to hide them.

None of these techniques are particularly difficult to subvert, but hey, every little helps. Three things that should be noted also are that the conversion process uses the American style of suffixs. This means that a billion is classed as having nine zeros, a trillion 12 zeros, and so on. This is unfortunate, as it is mathematically incorrect, however as the code is aimed at people reading the text and typing in the number, it is desireable for the text to be compliant with what most people recognise, which happens to be the American style. Bummer. Secondly, I can imagine that people will have trouble converting textual versions of numbers to integers, so it's probably wise to stick to smaller numbers, eg 0 - 999,999.

Lastly, the range of the code, is -999999999999999999 to 999999999999999999. Though you could add decimals to that too I guess. If you need a number bigger than that, then bully for you. Though it is feasible to extend this range, quite simply.

Function Reference

You can get the code here.

That's it. Enjoy.

Excellent! Very Good Good Fair Poor

Comments