Never let javascript even have a hand in any validation you don't want completely bypassed. Your method to send to the server and have it send back has two problems:
1. Javascript can be modified on pages, they can modify it to always return yes
2. The HTTP call javascript makes can be intercepted (so it never actually gets out) and forged (so the script thinks it all worked).

I've never made a system that does this, but off the top of my head this is how I would do it:

1. Start.php
- Creates a row in the database with a random confirmation string. This row has an another randomly generated ID string (called aID).
- Sets a hidden field with the value of aID.
- Calls image.php to generate an image with that associated ID.
- Has a text field to enter the string in.

2. image.jpg
-Actually a PHP scipt, mod_rewrite or server MIME types (telling the server to process the jpg as a PHP file) are used to create this effect. aID will be in the GET data, it goes into the database and returns the image form of the string.

3. Process.php
- Takes the associated ID from the hidden form and compares it's confirmation string to the user input. If they match they are though, otherwise return the error.

Other tasks:
1. Delete unconfirmed rows that are more than 12 hours old.
2. Delete rapidly generated rows from a single IP or whatever method you use (not foolproof, would require additional storing).

__________________