may have already noticed this. But I changed the CAPTCHA in my blog from the rather obnoxious and very hard to read image generated by the code I picked up from the PEAR::Text_CAPTCHA sample to a fairly simple math problem. It seems to hold off spam well for now. Expect the math problem to increase in difficulty once I get spam (or stupid comments) but for now all is well. Now even Wez should be able to solve it on first try :-)

I have also added a FSFE fellow button. I have actually been a FSFE fellow since LinuxTag this summer and I cannot stress enough how important the work of the FSFE is to ensure that open source can stand up to the closed source bullies surrounding us (or are we slowly surounding them?).

In somewhat unrelated news I am now also starting to read "High Performance MySQL". Though it focuses on MySQL 4.x it should still give me some more insights into MySQL. I should however also continue to read the "MySQL certification guide" and finish the "Oracle SQL tuning pocket guide" I recently picked up for 2 Euros at a local bookstore. So much to read that its very nice that for a change I am also getting a DVD and CD from my wishlist by a nice german fellow PHP developer who wants to lure me into writing more documentation for LiveUser. I have already been a good boy and started on cleaning up the phpdoc comments in the LiveUser_Admin. package. We will get there ..

I like your idea for a simple math-based CAPTCHA. My blog site has been attacked with 20+ SPAM comments at a time, and I found PEAR's CAPTCHA system quite cumbersome.

I am thinking of / researching ideas for simpler CAPTCHA's. Chris Snyder's new PHP Security book from Apress has an interesting chapter that discusses 'cognitive CAPTCHAs'. In such a case, the user is shown four photos (say three babies and one duckling) and is asked to choose which picture does not fit with the rest.

I think that is an interesting idea for building a CAPTCHA system.

The best thing about your math-based captcha is that it should be completely accessible for visually-impaired people.

I also like the idea of increasing the difficulty of the math equations; as long as you have explanatory text to go along with them, perhaps I'll finally be able to understand calculus :)

Other possibilities for throwing off the intelligent spam would be mixing digits and symbols with words representing numbers (like "add fifty to 9 hundred =").

Indeed, I got in at first try; congratulations ;-)
This leads perfectly into my next minor gripe; the login took me back to your home page and not to the comments section that I wanted to comment on.

The danger with math equations is that you're discriminating against people with poor math skills.. whether that is a good thing or not in the context of your blog is up to your own sense of guilt ;-)

--Wez.

As for the login taking you back to the front page. You are not the first one to report this, but I am unable to reproduce the issue :-(

I will talk to you on IRC to get a better understanding of what might be going wrong. A logout does throw you to the front page, but a login should not.

I just noticed that I did not mention any details on the actual math problem. The idea was that I wanted something that is always double digit and that never rolls over to beyond ten when you add the last digits just to make things really simple.

  $int1 = rand(1, 5).rand(0, 5);
  $int2 = rand(1, 5).rand(0, 4);
  $_SESSION['passwd'] = (string)($int1 + $int2);

This way I can get nothing below 10 and nothing above 100. I can also never get a situation where someone needs to be able to add 4 to 7 or something like that. This should even let the bulk of the otherwise math-impaired people be able to solve the math problem.

Another capture I could think of is a text randomizer and you require the person to pick out the verb or some other piece of the sentence. As an alternative to the math problem it would increase the possible choices for humans to identify themselves :-)

Lukus, the numbers you pass to rand allow for 55 + 54, which equals 109 (higher than your desired maximum of 100).

$int1 = rand(1,7) . rand(1, 8);
$int2 = rand(1, 9 - $int1[0]) . rand(1, 9 - $int1[1]);
$_SESSION['passwd'] = (string) ( $int1 + $int2);

If I wrote this properly, you will have two 2-digit numbers (none of the digits are 0) whose sum is also a 2-digit number, and the user needn't worry about carrying.

I prefer simple math problems over image-based CAPTCHA because images either discriminate against the visually impaired or give the answer in the ALT attribute.

Heh yeah indeed. I "fixed" the code just before I pasted it here and screwed up. I actually intended to just do 55 + 44 as the possible maximum.

Sorry, to ruin it for you:
http://www.stevenroddis.com.au/2006/10/11/breaking-text-based-captcha-is-easy/

Of course its easy. The entire point of using images was to require advanced OCR software. But for my little blog this measure was been sufficient. Do note that I use the same CAPTCHA on my wiki, where it is not sufficient. But I still get so little spam that its not really a problem either.