Captcha does not work. I tested both (captcha, fr_freecap) and both send the form (and the mail of course) even when the captcha field is empty or with wrong letters in it. The reason is easy: the target in the action option of the form-tag is $data['requesturl']: the target page of the mailform (or thank you page). In my opinion this cannot work. When the captcha form is submitted the captcha code is never proofed because the form jumps to the thank you page.
#2 Updated by Peter Linzenkirchner over 7 years ago
OK, i was wrong - it works in a way ... :-) When i send the form with wrong captcha the captcha test fails but after submitting the form manually the following spam test results in "no spam" and the form is processed. When i send the form with wrong captcha as spam, the captcha test fails and the following spam test results in "is spam" and redirects me to the captcha form. That is correct behavior.
But i think it is a kind of a usabilty problem because the normal user would make the same experience as i - he thinks the captcha is broken. Perhaps it would a good idea to force the right captcha string - for instance with a permanent redirect to the captcha page until the correct captcha string ist given. It would be the behavior which every user would expect when he found himself in front of a captcha.