Cliquez sur l'image pour tester


Here is a small anti-robot test script created initially in 2014, developed in PHP, using tokens in text format, asking the user to copy a code displayed in an image.

Test concept:

This script is used to create a classic protection: when it is launched, a random code is generated and then copied into a single-use token saved on the server. Once the token has been saved, the HTML document is displayed. Then, this document loads an image, generated on demand, by sending an HTTP request to the server passing the unique identifier of the token in parameter.

In this way, the protection code is never included in "clear text" in the document, only the identifier of the token is, and it is impossible to know the code without viewing the image. This is how you perform the test, asking the user to copy the protection code in the associated text field and validate its action. The last step of the process compares the code sent to the one previously saved in the token, and then reacts according to the result.

The protection method used by this program, well known on the internet, is effective against spam and many robots. However, this is a basic script that will not protect a website against more sophisticated robots, able to interpret the characters displayed in an image. It is therefore quite suitable, in the state, to a site with a low or average audience, but will need to be improved and accompanied by other protection systems on sites with a high audience or undergoing many nuisances.

The program is distributed as a demo, in the hope that it will be useful, without any license or restriction. You can modify and redistribute it without restrictions.

Technical details

Token file management:

Each created token is saved as a text file containing the associated protection code. When a tested code is correct, the token file is automatically cleared from the server. The lifetime of a token is one hour, and unused tokens are automatically removed from the server.

Data protection:

The data backup folder is protected by an HTACCESS file that prevents any instrusion.

Use by HTTP request:

The script is suitable for use by HTTP requests. Thus, the program can be used by any program that has a connection to the server. The form provided with the script should allow you to understand how it works.


This program can be easily integrated into a site or script. For optimal protection, it is necessary to change the password of the HTPASSWD file by using a long password, containing numbers and letters, such as a Hash created by the SHA-256 algorithm.

If there is a problem with the image, make sure that the GD library is integrated with your version of PHP and that the address of the script used for HTTP requests is correct.


The script has a configuration file ("captcha-config.php") to modify certain options.


Creative Commons License

This document by Christophe Leblanc is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.