<?php $code = substr(md5(mt_rand()),0,5); ?>
Verification: <input type='text' name='verification' size='18' maxlength='100' >
<img src='/image.php?randcode=<?php echo $code ?>
<input type=hidden name=code value=<?php echo $code) ?> />
And when the form is submitted:
if ($_POST['code'] !== $_POST['verification'])
// some error handling that isn't good either
So take a MD5 of a random number-- take the first 5 characters, randomly generate a CAPTCHA image with those 5 characters-- then send the plaintext code to the browser. Not that it matters, since the must-match-to is sent back by the client.
The rest of the form isn't much better.
As for me? In greasemonkey:
document.getElementsByName('verification'].value = document.getElementsByName('code').value;
Go hacker me.