Aug 11 2009

Create A Simple Captcha With PHP and GD

Everyone hates captchas. I know I do. It sucks but they are a necessary evil. Most captchas are difficult (sometimes impossible) to read and they will consistantly drive visitors from your site. I’ve been on sites where the captcha was so hard to decipher that I’ve never gone back.

During the development of a new site I was forced to create one of these evil entities. It was surprisingly simple and painless. The captcha that I outline here is very, very simple and should never be used in production without a fair amount of tweaking.

Having developed my site using php I naturally turned to the GD library.

Firstly I generated a random string to display on the captcha :

//generate a random alphanumeric string of a specific length
function gen_random_string($length) 
  $characters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWZYZ".
  $real_string_length = strlen($characters) - 1;
  { $string .= $characters[mt_rand(0, $real_string_length)]; }
  return $string;

//add to session array so other scripts can access it for the comparison
$_SESSION['image_text']= gen_random_string(8);

//split into character array - str_split only works in PHP 5
$text_array = str_split($_SESSION['image_text']);

Now that I have my string I need to create the image. Make sure that GD is installed on your php apache server.

//create the image with a background image
$NewImage =imagecreatefrompng("bg1.png");
$cntr = 0;
foreach($text_array as $letter)
  //generate a random color for each letter
  $r = rand(0,200);
  $g = rand(0,200);
  $b = rand(0,200);
  $textcolor = imagecolorallocate($NewImage, $r, $g, $b);

  //random horizontal spacing
  $spacing = (rand(5,10)+($cntr*10));
  //add the character to the image
  imagestring($NewImage, 5, $spacing, rand(0,10), $letter, $textcolor);

The code above will generate a GD captcha image with random coloring and random horizontal and vertical spacing on top of a background image.
Now we just need to output it.

//output the headers than the image as a PNG
header('Content-type: image/png');
header('Cache-Control: max-age=0');
header('Expires: '.gmdate('r',time()-3600*24*365));

So if I called this file simple-captcha.php I could call it with this html:

<img id='captcha' name='captcha' src="simple-captcha.php">

Here is what it looks like :

This captcha can be strengthened by using other GD image functions such as imagefilledellipse and imageline to create artifacts in the background. It also helps to use different fonts and to change the angle of the letters.


Jul 1 2009

Decode Obfuscated WordPress Strings Which Use eval, gzinflate, And base64_decode.

I’ve been using wordpress for awhile and it seems that whenever I find a useful plugin or theme on the web the author always seems to embed some affiliate link or some other garbage on my main page. Usually they make sure that these links show up on every page and sometimes they even make other features of the software depend on it. Usually when I try to edit out the code it’s not as easy as removing an anchor or a bit of javascript. They always seem to obfuscate what they are doing as much as possible.

The most popular way to do this is to use a combination of gzinflate, base64_decodes, eval, and str_rot13. For most users this is really difficult to decode to figure out what is really going on. I wrote this function to hopefully make peoples lives easier (or harder, depending on who you are).
Usually the obfuscated code is written in the wordpress add-on like this :

$coded_string = "eval(gzinflate(base64_decode('FZfFDs..sdff/7nr/8B')));"

If your string looks like that then the function that follows should take decode it and return the html code pretty easily.

function decode_goofy_string($coded_string)
    $contents=preg_replace("/<\?|\?>/", "", $coded_string); 
    eval(preg_replace("/eval/", "\$coded_string=", $coded_string)); 
  return trim($coded_string);

This function is pretty straight forward but if anyone has any troubles then leave a comment or send me an email at


Jun 29 2009

WordPress Shortcode To Generate A TinyURL For Any Post

TinyURLs can be very useful when you have a long url to type into something like an iphone or some other mobile device where the keyboard is rather tedious. On a few of my sites I was looking for a way to automatically generate a tinyURL with the least amount of effort. Since I use wordpress for most of them I decided to go with a shortcode.

Shortcodes seem to be gaining a fair amount of attention in the wordpress community and with good reason. The Shortcode API, which was new in wordpress 2.5, is a simple set of functions for creating macro codes for use in your posts. Shortcodes are written by providing a handler function and they accept parameters too. Here is a wordpress shortcode to generate a tinyURL for a post.

//Generate Tiny URLS For A Post 
function get_tiny_url($arguments)
    $url = get_permalink($post->ID);
    $url = urlencode($arguments['url']);
      $tiny_url = ''.$url;
      $new_url = file_get_contents($tiny_url);
      $new_url = "Error";
    return $new_url;

add_shortcode('small_url', 'get_tiny_url');

If the url parameter is not defined then the function will attempt to use the wordpress function get_permalink($post->ID) which will return the current posts url. Also you can pass in a parameter if you want to show a tinyURL to another location. Using curl instead of file_get_contents would probably be faster but I didn’t want to make the example to long. The add_shortcode function is what tells the API to use the get_tiny_url function when it encounters the small_url shortcode. Note that this will call on the tinyurl api every page view so it would probably be prudent to set the tiny urls in the database so you only have to check once on a production site although I’m not sure if they expire or not.
This shortcode can be called in the post by typing :

[small_url]  // or
[small_url url='']


Jun 26 2009

Make Your PHP Faster

I was reading about some php performance tips at work today and decided to throw together some of the ways to make your php site faster.

Here’s a couple of short tips to avoid making your site lag for the user:

  1. Unset your variables. This frees up a surprising amount of memory
  2. Use memcache
  3. Turn on apache’s mod_deflate
  4. If your database is local then close your connections when you’re done with them
  5. If your database is remote then use persistant connections
  6. Don’t use functions inside of a for loop control expression unless absolutely necessary. Example :

    The some_big_calculation function will be called every iteration.
  7. Use string concatenation instead of embedding variables in strings.
    $some_string = "asdf $asdf2 asdf"; //bad
    $some_string = 'asdf '.$asdf2.' asdf'; //good
  8. When including files, use at least a relative path so PHP doesn’t have to look in the entire path.
    include("./some_file.php"); // looks in the current directory
    include("wrong.php"); // searches every directory in the path
  9. Try not to use include_once or require_once. They are more expensive and it really isn’t that hard to only include files once
  10. Not everything needs to be an object. There is a fair amount of overhead when doing everything OOP.
  11. Use output buffering to make everything seem faster.

Hopefully I didn’t miss any of the big ones.


Jun 22 2009

Update Twitter using Command Line, Javascript, Or PHP.

Everyone seems to be all about Twitter so here’s some simple examples of how to update your Twitter status from a command line prompt, web server or simple html web site. These three examples require curl so install it if you don’t already have it. For these examples I’ll be using my Twitter user name ‘codytaylor1234’. My password is not ‘mypassword’ so make sure you put in your own information.

The easiest way to update your Twitter account is to just call curl from the command line with this command.

curl --basic --user "codytaylor1234:mypassword" --data-ascii 
"status=This Twitter update brought to you by curl on the command line" 

To update your Twitter status with PHP you are going to want to do the same sort of thing but with a bit more typing.

$username = 'codytaylor1234';
$password = 'mypassword';

$update = 'This Twitter update is from a php script using curl';

$url = '';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "status=".$update);
curl_setopt($ch, CURLOPT_USERPWD, $username.":".$password);
$result = curl_exec($ch);

    echo 'success';


Since a cross-domain request in Javascript isn’t really an option we have to create a proxy using PHP in order to authenticate the user on the Twitter API. If anyone knows an easy way authenticate a Twitter user using only javascript I’d love to hear it. Anyway if we replace a small amount of code in the above example and put it in a file then we can use a simple ajax request to update our Twitter status. So the new PHP file would be:

$username = $_POST['username'];
$password = $_POST['password'];

$update = $_POST['update'];

$url = '';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "status=".$update);
curl_setopt($ch, CURLOPT_USERPWD, $username.":".$password);
$result = curl_exec($ch);


For this example I called that php file ‘twitter-update.php’. Now that we have our simple proxy we can update our twitter status with a simple html form and a little ajax. I used the prototype framework for my javascript.

<script src="includes/prototype.js" type="text/javascript">
<script type='text/javascript'>
function update_twitter()
  var param_string = "username="+$('username').value+"&password="+
  var options = {
    method: "post",
    parameters: param_string,
    onSuccess: function (xhr, Json) {
      alert("Response received successfully.");
    onFailure: function (xhr, Json) {
      alert("Request was unsuccessful.");
  var oRequest = new Ajax.Request("twitter-update.php", options);


Obviously this is for example purposes only and if you’re actually using it for production then you should edit it a lot. Now for the last little bit here’s the simple html form that starts it all.

User Name : <input type='text' id='username' value='codytaylor1234'><br>
Password  : <input type='password' id='password' value='mypassword'><br>
New Status : <input type='text' id='update' 
value='Twitter Update from html/javascript/php'><br>
<input type='button' value="Update Twitter" onclick='update_twitter();'>


Jun 20 2009

Get Integer Bit Parity In PHP

I was forced to use php to generate a cyclic redundancy check (CRC) byte earlier this week. When generating this CRC I needed to check the bit parity of a byte. At first I thought that there would be an example that I could just cut and paste into my code or a library including the function somewhere. I guess that most PHP users don’t really have to work with bits and bytes very often because I couldn’t find an example of doing this. Granted I didn’t really search that hard because writing it was pretty simple. But hopefully the next guy searching for this actually finds this example.

Most of the time we don’t really have to think about types in php. But if you’re dealing with this kind of thing then you usually want to know what you’re working with. This php function example will only work with integers and will return a value of -1 if the first parameter is not a number. The function returns 1 if the number of bits set in the number pased in is odd. Otherwise it will return 0. The second parameter defaults to 4 because that is the number of bytes in a normal php integer. In php if a number becomes larger than an integer can handle, which is called an overflow, it becomes a float. The default integer size is platform dependant but it’s usually 4 bytes. It can be set using the constant PHP_INT_SIZE if you need to change it.


function odd_parity($something,$number_of_bytes_to_check=4,$double_check=0)
    //test to make sure it's a number
    if(!is_numeric($something)) {return -1;}  

    $setbits = 0;

    //get the number of bits that are set
        if($something & (1<<$i)) $setbits++;

    //check if the number of bits set is even or odd   
    $result =  $setbits % 2;
    //spit out the results to double check it's working 
    echo   "<br>Parity of : ".$something." is ".
    $result." In Binary : ".decbin((int)$something).
    " Checking the right ".($number_of_bytes_to_check*8).
    " Bits";

    return $result;

//will return 0 because it's defaulting to 4 bytes
echo odd_parity(0x0100010001);  



Jun 17 2009

Generate A Tiny URL On The Fly With PHP

Uniform resource locators (URL) are starting to get very long and I’m getting sick of typing ridiculously long strings into safari on my iphone. I don’t really care about the extra bandwidth, It’s just annoying when you’re on the phone telling someone to go check out a 67 character long url and they mistype it three times.

I’ve just started using the tiny url service and so far it’s been useful. On one of my sites I wanted to generate a tiny url for each of my pages to make them quicker to type in and also so people don’t know what get variables I’ve set until they get there. Here is the PHP function that I used to generate a tiny url for every page on the site.

There doesn’t seem to be any documentation at all on the Tiny URL website about this so I’m not sure if it’ll change in the future.
This function passes your desired url to the api-create.php script on the tinyurl domain which returns a nice short url that isn’t a pain to put into your iphone.

function get_tiny_url($url)
  $new_url = file_get_contents(''.$url);
  return $new_url;

$tiny_url = get_tiny_url("");

Not much to it but it made my life easier.


Jun 15 2009

Checking Bits With PHP

PHP makes life a lot easier for quick or dirty maintenance scripts, cron jobs or web applications but how does it do for older, not so straight forward problems dealing with bits and bytes? I was surprised how easy it was to manipulate bits in a byte with php. Here is an function that made my life a fair amount easier when having to check for a specific bit in a byte.

This function checks whether a certain bit is set or not given a byte and an index. It returns true if the chosen bit is set. It casts the $value argument to a integer just in case. The index $n goes from left to right so the most significant bit is bit one and the least significant is bit eight. This function will only work for integers between 0 and 255 because that was all I needed at the time. It would be trivial to write either a function to separate bytes in an integer or to increase the amount of bits that this function checks. I originally had a different function here but the Internet quickly told me that there was an easier way to do this.


function check_bit($value,$n=8)
    $value = (int)$value;
    if($value & (1<<(8-$n))) { return true; }
    else { return false; }

//Check Bit Usage Example
$test_byte1 = "4";

if( check_bit($test_byte1,2))
  echo "Bit 2 is set in ".decbin($test_byte1);
  echo "Bit 2 is not set in ".decbin($test_byte1);


Here are the php bitwise operator definitions from the php documentation. Look like C much?

$a & $b And Bits that are set in both $a and $b are set.
$a | $b Or Bits that are set in either $a or $b are set.
$a ^ $b Xor Bits that are set in $a or $b but not both are set.
~ $a Not Bits that are set in $a are not set, and vice versa.
$a << $b Shift left Shift the bits of $a $b steps to the left (each step means “multiply by two”)
$a >> $b Shift right Shift the bits of $a $b steps to the right (each step means “divide by two”)

Jun 14 2009

Detect Bots By Parsing The User Agent With PHP

Because I’ve been starting to keep a closer eye on my traffic I’ve been logging everything to my databases. When writing reports for this information I noticed that there was huge amounts of traffic from bots. Yahoo, Google, MSN and many others have been hammering my sites quite a lot lately. Since I’m writing my reports in PHP I needed a quick little function to identify whether the visitor was real traffic or some machine scraping my site. I couldn’t find one after a few quick Google queries but the solution was trivial so I wrote my own. Hopefully this will save someone a few minutes. The function is as simple as possible and it seems to be working so far. I’ve been watching it for awhile and it hasn’t missed any yet. I’m assuming that it’s not going to catch everything but it would be nice to get most. Any bot user agent string suggestions would be helpful.

//returns 1 if the user agent is a bot
function is_bot($user_agent)
  //if no user agent is supplied then assume it's a bot
  if($user_agent == "")
    return 1;

  //array of bot strings to check for
  $bot_strings = Array(  "google",     "bot",
            "yahoo",     "spider",
            "archiver",   "curl",
            "python",     "nambu",
            "twitt",     "perl",
            "sphere",     "PEAR",
            "java",     "wordpress",
            "radian",     "crawl",
            "yandex",     "eventbox",
            "monitor",   "mechanize",
  foreach($bot_strings as $bot)
    if(strpos($user_agent,$bot) !== false)
    { return 1; }
  return 0;


Jun 10 2009

Match An IP Address To A Physical Location With PHP

Sometimes it’s useful to locate where a certain IP address is located. Usually this isn’t really that accurate but at least it gives you a general idea for stats or marketing research. I’ve written a simple php function that uses curl to query a IP address location database for the location info. In the function I specify that I want a JSON data structure containing the location information. I chose JSON over the XML alternative just for ease of use. The object that we get returned needs to be referenced in a specific kind of way. I show how under the function.
This function uses the IPInfoDB JSON php API. There are quite a few alternatives out there so feel free to do your research. The IPInfoDB PHP API returns :

  • Country Code (CA or US)
  • Country Name (Canada)
  • Region Code
  • Region Name (Province or Dtate)
  • City
  • Postalcode or Zip Code (which doesn’t always work)
  • Latitude
  • Longitude
  • gmt offset
  • Dst offset

function get_location_info($ip_address)
  $url = '';
  $url .= $ip_address;
        $url .= '&output=json';
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_HEADER, 0);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  $json_packet = curl_exec($ch);
  $location_array = json_decode($json_packet);


$loc_arr = get_location_info("");
echo "\n";
echo $loc_arr->{'City'};
echo "\n";
echo $loc_arr->{'RegionName'};
echo "\n";
echo $loc_arr->{'CountryCode'};

Hopefully theres no confusion there.