Text_CAPTCHA Article Updated

The author of Using PEAR's Text_CAPTCHA to Secure Web Forms has published a small update that improves the conditional statement used to compare CAPTCHA phrases. This update can be found near the very end of the article, and the updated example follows:

<?php

session_start();

if (isset($_POST['captcha_phrase'], $_SESSION['captcha_phrase']) &&
    strlen($_SESSION['captcha_phrase']) > 0 &&
    $_POST['captcha_phrase'] === $_SESSION['captcha_phrase'])
{
    /* Human */
}
else
{
    /* Computer */
}

?>

If you have implemented Text_CAPTCHA using the previously published method to compare CAPTCHA phrases, a vulnerability exists when a user's session is not initialized. It is recommended that you initialize $_SESSION['captcha_phrase'] to a random string and also apply this update to your code.

The author wishes to thank Ilia Alshanetsky and Stefan Esser for their assistance.