If the code is embedded in the audio filename, or as part of the HTML, the CAPTCHA itself is kinda useless to a serious attack. The attacker will simply read the code from the HTML/URL You need the secret code to never actually leave your server for it to stay secret. That said, CAPTCHA can usually be broken by OCR by a serious attacker, though that takes a little longer than simply reading the code from HTML. Presumably somebody somewhere could (or already has) hook up voice recognition to an audio CAPTCHA and defeat that as well. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php