code reader wrote: i didnt bother to mention it in my previous post, because i thought it is not material to the goal (producing a random string).
Of course thats the goal. Anything that can be perdicted makes a captcha weaker. Your code doesn't do replacement, so that means that the maximum combinations it can do for a 6 character code (the default in phpBB 2.0.x) is 1,168,675,200, while the current code generates a maximum combination space of 1,838,265,625. In short, you've just knocked out over 6.6 million combinations the captcha can come up with, and given a nice easy clue for the captcha breaker (along the lines of "If I've already used a character, I know that no other character can be this one").
Don't forget, half the battle in solving captcha's with a computer is to reduce the problem down to something easy. If you've limited yourself in any way (non-repeat, two colours, simple noise, fixed character position, set numbers of characters/numbers in an image (I've seen this one before!)), then you make it so much simpler to the attacker, much in the same way a password that is less than 7 characters is easy to break.
NeoThermic