The author of Using PEAR’s Text_CAPTCHA to Secure Web Forms has published a small update that improves the conditional statement used to compare CAPTCHA phrases. This update can be found near the very end of the article, and the updated example follows:
if (isset($_POST[‘captcha_phrase’], $_SESSION[‘captcha_phrase’]) &&
strlen($_SESSION[‘captcha_phrase’]) > 0 &&
$_POST[‘captcha_phrase’] === $_SESSION[‘captcha_phrase’])
/* Human */
/* Computer */
If you have implemented Text_CAPTCHA using the previously published method to compare CAPTCHA phrases, a vulnerability exists when a user’s session is not initialized. It is recommended that you initialize $_SESSION[‘captcha_phrase’] to a random string and also apply this update to your code.
The author wishes to thank Ilia Alshanetsky and Stefan Esser for their assistance.