If you're like me, you probably find captchas annoying, difficult to read, and easily defeated by third world humans getting paid $2 a day to submit captcha protected forms.

I think I have an alternative which I would like some opinions on.

1. Create a table with one column.

2. Create a mathematical equation that takes one input variable and produces one output result. Something like ( output = 5 * input ) would probably be sufficient, where input is a randomly generated number.

3. Hide your input and output in a long string of numbers. For example, if input=4 and output=20, hide those numbers in a string like 5306482075 where only you know where they are.

Use this number as an input in your form:
<input type='hidden' name='key' value='5306482075' />

4. When the form is submitted, parse the key for the input and output, and verify using your equation, e.g. 20 = 5 * 4.

5. If the equation is false, exit the post.

6. If the equation is true, check your table for the key, and if the key is found, exit the post.

7. At this point, everything checks out, so post the form and store the key.

The above technique should make it very hard to guess or calculate keys, keys can not be reused, and the key table may be purged from time to time, or not.

No annoying captchas and no impact on the visually impaired.

Of course, there is the third world slave labor problem, and... hmmm, now that I think about it, an automated process could get the key and then submit the form.

Well, I guess I'll have to think about this some more! Any suggestions?

http://www.w3.org/TR/turingtest/

Captchas and Turing Test deter automatic form submissions atleast to an extent though not 100% fool proof.

I found this information on a New York PHP Community website:

A) SHARED SECRETS:

Also referred to as one-time tokens or hashes, the idea is typically the same. You create a secret that is intended to only be known by the server and the legitimate user. Implementations vary widely but they share the characteristics of being transparent to your users and difficult to exploit.

One implementation would be to store the secret in the user's session:

$secret = md5(uniqid(rand(), true));
$_SESSION['secret'] = $secret;

This would then be used as a hidden form variable in the form:

<input type="hidden" name="secret" value="<? echo $secret; ?>" />

Every time you display the form, you would regenerate this secret, so that the user always has a current, fresh, and correct secret.

The receiving page can check this by comparing the "secret" sent by the form with the "secret" that was stored in the corresponding session variable. You can improve the security of this method by restricting the timeout window rather than relying on the session timeout, which might be too large for your needs.

Although more elegant and compact, the above code looks similar, in principle, to the technique I posted, and I don't see why an automated submission system couldn't just get the key from the generated form, fill in its own data, and then post the form automatically.