A possibility that was described neither here nor at How to store and verify digits chosen at random from a PIN/Password is this:

• Create a random salt of the same length as the seucrity code (here 11)
• Store the salt with the user
• for every char of the security code, replace the corresponding char of the salt with the char from the security code and hash it securely
• store these hashes with the user

Now you have to store the manageable quantity of n+1 fields for a security code of length n and can still verify single (position,char) tuples

What about using substr()?

substr("a35sfj9ksdf", 0, 1);

That would return 'a', the first character

substr("a35sfj9ksdf", 4, 1);

This would return 4, the 5th character

So something like please enter the $n character and use

substr("a35sfj9ksdf", $n-1, 1);

you can follow those steps,

1. store all your desired characters in an array

2. generate n (length of user code) number of random numbers where each number will represent a character of your array.

3. Then concat the new generated characters to make a string

4. Store the string using session and when ask from the user just match the user code with session

you can also make a simple captcha service using the similar way