Article:
  Securing Web Forms with PEAR's Text_CAPTCHA
Subject:   kill captcha text after form post
Date:   2005-11-19 10:40:28
From:   sullivat
You would probably want to take some kind of action against allowing the user to just hit refresh to resubmit the form, such as clearing out the captcha text in the session, or sending a redirect header after the form completes successfully.


As for visually-impaired users, there are some things you can do to make the form more accessible. If you want the HTML to validate, you do need an alt tag on that image, but I would just put something like "captcha text". I would also want to put a link to download a wav file of the captcha text being pronounced. I haven't tried making audio with php before, but if you have a festival on your machine you can probably access that through system functions to make the wav file.


And also, it's good practice to lock the file anytime you do an input/output operation to it to avoid race conditions. See http://php.net/flock