Hands up who thinks “captcha”, an image based challenge-response test to ensure a response is not generated by a computer, is a big pain in the butt and you’re sick and tired of seeing it in every web form. Not only is it obstructive but most of the images are very difficult to decipher.
Well, an alternative to “captcha” is a well place hidden variable within a web form containing a random number. It doesn’t require user intervention so it’s seamless which would mean that your customers are less annoyed. It acts like a simple redundancy check which effectively identifies if the web form was submitted from the server, and not remotely invoked through a “page scrape” copy. If the web form was submitted from a remote copy, which is how most “robot” processes operate, then the form is not processed.
The example form below is a simple “contact us” page and it implements the hidden variable redundancy check. Make sure that you insert your own code in the following comment block:
'************************************************************************************** '* Insert code here to post the message '* Eg. Insert message in a database or send message to your email address '**************************************************************************************
Save the following code as contact.asp:
<% '************************************************************************************** '* Store the FORM PASSWORD session value in MESSAGE_PASSWORD variable '************************************************************************************** MESSAGE_PASSWORD = Session("FORM_PASSWORD") v_error = "" if Request("posted") = 1 then name = Request("name") email = Request("email") message = Request("message") ' Validate web form values if name = "" then v_error = v_error & "Please enter your name<br />" end if if validateEmail(email) = false then v_error = v_error & "Please enter a valid email address<br />" end if if message = "" then v_error = v_error & "Please enter your message<br />" end if if v_error = "" then if CInt(Request(MESSAGE_PASSWORD)) = CInt(MESSAGE_PASSWORD) then '************************************************************************************** '* Insert code here to post the message '* Eg. Insert message in a database or send message to your email address '************************************************************************************** Response.write "Your message was sent to us successfully. We will respond to you within 24 hours of receiving this message." message = "" end if end if else '************************************************************************************** '* Generate new FORM PASSWORD value and store it in session variable '************************************************************************************** Session("FORM_PASSWORD") = randomNumber MESSAGE_PASSWORD = Session("FORM_PASSWORD") end if %> <h1>Contact Us</h1> <p>Please enter your query in the message text area below</p> <% if v_error <> "" then Response.write v_error end if %> <form action="contact.asp" method="post"> <table border="0" cellpadding="0" cellspacing="2"> <tr> <td class="tdhead">name</td> <td class="spacer" /> <td><input name="name" id="namefield" class="textbox" type="text" size="38" maxlength="50" value="<%= name %>" /></td> </tr> <tr> <td class="tdhead">email</td> <td class="spacer" /> <td><input name="email" class="textbox" type="text" size="38" maxlength="50" value="<%= email %>" /></td> </tr> <tr> <td class="tdhead">message</td> <td class="spacer" /> <td><textarea name="message" rows="5" cols="40" class="textbox"></textarea></td> </tr> <tr> <td colspan="2" /> <td> <input type="hidden" name="posted" value="1" /> <input type="hidden" name="<%= MESSAGE_PASSWORD %>" value="<%= MESSAGE_PASSWORD %>" /> <input type="submit" value="Send Email" class="textbox2" /> </td> </tr> </table> </form> <script type="text/javascript"> if (document.forms.length > 0) if (document.forms[0].elements.length > 0) document.forms[0].elements[0].focus(); //--> </script> <% '************************************************************************************** '* Common functions '************************************************************************************** '************************************************************************************** '* validateEmail '* ------------------------------- '* Returns true if email is well formed, false otherwise '************************************************************************************** Function validateEmail(sCheckEmail) Dim sEmail, nAtLoc validateEmail = True sEmail = Trim(sCheckEmail) nAtLoc = InStr(1, sEmail, "@") 'Location of "@" If Not (nAtLoc > 1 And (InStrRev(sEmail, ".") > nAtLoc + 1)) Then '"@" must exist, and last "." in string must follow the "@" validateEmail = False ElseIf InStr(nAtLoc + 1, sEmail, "@") > nAtLoc Then 'String can't have more than one "@" validateEmail = False ElseIf Mid(sEmail, nAtLoc + 1, 1) = "." Then 'String can't have "." immediately following "@" validateEmail = False ElseIf InStr(1, Right(sEmail, 2), ".") > 0 Then 'String must have at least a two-character top-level domain. validateEmail = False End If End Function '************************************************************************************** '* randomNumber '* ------------------------------- '* Generate random number '************************************************************************************** Function randomNumber Randomize timer Dim rndNum ' Randomizing the timer function rndNum = abs(int((rnd() * 3001))) ' To generate a prime based, non-negative random number.. rndNum = rndNum + 53 randomNumber = rndNum End Function %>
Some comments about the code:
When the form is first requested it generates a random number which acts like a form password.
'************************************************************************************** '* Generate new FORM PASSWORD value and store it in session variable '************************************************************************************** Session("FORM_PASSWORD") = randomNumber MESSAGE_PASSWORD = Session("FORM_PASSWORD")
This password is stored in a session variable as well as in the form as a hidden item with the same name and value, being the password itself.
'************************************************************************************** '* Store the FORM PASSWORD session value in MESSAGE_PASSWORD variable '************************************************************************************** MESSAGE_PASSWORD = Session("FORM_PASSWORD") <input type="hidden" name="<%= MESSAGE_PASSWORD %>" value="<%= MESSAGE_PASSWORD %>" />
When the form is submitted the session value and form value is compared, and if they match then the form is processed.
if CInt(Request(MESSAGE_PASSWORD)) = CInt(MESSAGE_PASSWORD) then '************************************************************************************** '* Insert code here to post the message '* Eg. Insert message in a database or send message to your email address '************************************************************************************** Response.write "Your message was sent to us successfully. We will respond to you within 24 hours of receiving this message." message = "" end if
That’s it! Happy coding!