Categories
ASP Captcha Alternative

Programming Alternative to Captcha on an ASP Web Form Using a Hidden Variable

Hands up who thinks “captcha”, an image based challenge-response test to ensure a response is not generated by a computer, is a big pain in the butt and you’re sick and tired of seeing it in every web form. Not only is it obstructive but most of the images are very difficult to decipher.

Well, an alternative to “captcha” is a well place hidden variable within a web form containing a random number. It doesn’t require user intervention so it’s seamless which would mean that your customers are less annoyed. It acts like a simple redundancy check which effectively identifies if the web form was submitted from the server, and not remotely invoked through a “page scrape” copy. If the web form was submitted from a remote copy, which is how most “robot” processes operate, then the form is not processed.

The example form below is a simple “contact us” page and it implements the hidden variable redundancy check. Make sure that you insert your own code in the following comment block:

'**************************************************************************************
'* Insert code here to post the message
'* Eg. Insert message in a database or send message to your email address
'**************************************************************************************

Save the following code as contact.asp:

<%
  '**************************************************************************************
  '* Store the FORM PASSWORD session value in MESSAGE_PASSWORD variable
  '**************************************************************************************
  MESSAGE_PASSWORD = Session("FORM_PASSWORD")

  v_error = ""
  if Request("posted") = 1 then
    name = Request("name")
    email = Request("email")
    message = Request("message")

    ' Validate web form values
    if name = "" then
      v_error = v_error & "Please enter your name<br />"
    end if
    if validateEmail(email) = false then
      v_error = v_error & "Please enter a valid email address<br />"
    end if
    if message = "" then
      v_error = v_error & "Please enter your message<br />"
    end if

    if v_error = "" then

      if CInt(Request(MESSAGE_PASSWORD)) = CInt(MESSAGE_PASSWORD) then
        '**************************************************************************************
        '* Insert code here to post the message
        '* Eg. Insert message in a database or send message to your email address
        '**************************************************************************************

        Response.write "Your message was sent to us successfully. We will respond to you within 24 hours of receiving this message."
        message = ""
      end if
    end if
  else
    '**************************************************************************************
    '* Generate new FORM PASSWORD value and store it in session variable
    '**************************************************************************************
    Session("FORM_PASSWORD") = randomNumber
    MESSAGE_PASSWORD = Session("FORM_PASSWORD")
  end if
%>
<h1>Contact Us</h1>
<p>Please enter your query in the message text area below</p>
<%
if v_error <> "" then
  Response.write v_error
end if
%>
<form action="contact.asp" method="post">
<table border="0" cellpadding="0" cellspacing="2">
  <tr>
    <td class="tdhead">name</td>
    <td class="spacer" />
    <td><input name="name" id="namefield" class="textbox" type="text" size="38" maxlength="50" value="<%= name %>" /></td>
  </tr>
  <tr>
    <td class="tdhead">email</td>
    <td class="spacer" />
    <td><input name="email" class="textbox" type="text" size="38" maxlength="50" value="<%= email %>" /></td>
  </tr>
  <tr>
    <td class="tdhead">message</td>
    <td class="spacer" />
    <td><textarea name="message" rows="5" cols="40" class="textbox"></textarea></td>
  </tr>
  <tr>
    <td colspan="2" />
    <td>
      <input type="hidden" name="posted" value="1" />
      <input type="hidden" name="<%= MESSAGE_PASSWORD %>" value="<%= MESSAGE_PASSWORD %>" />
      <input type="submit" value="Send Email" class="textbox2"  />
    </td>
  </tr>
</table>
</form>
<script type="text/javascript">
  if (document.forms.length > 0)
    if (document.forms[0].elements.length > 0)
      document.forms[0].elements[0].focus();
//-->
</script>

<%
'**************************************************************************************
'* Common functions
'**************************************************************************************

'**************************************************************************************
'* validateEmail
'* -------------------------------
'* Returns true if email is well formed, false otherwise
'**************************************************************************************
Function validateEmail(sCheckEmail)
  Dim sEmail, nAtLoc
  validateEmail = True
  sEmail = Trim(sCheckEmail)
  nAtLoc = InStr(1, sEmail, "@") 'Location of "@"

  If Not (nAtLoc > 1 And (InStrRev(sEmail, ".") > nAtLoc + 1)) Then
    '"@" must exist, and last "." in string must follow the "@"
    validateEmail = False
  ElseIf InStr(nAtLoc + 1, sEmail, "@") > nAtLoc Then
    'String can't have more than one "@"
    validateEmail = False
  ElseIf Mid(sEmail, nAtLoc + 1, 1) = "." Then
    'String can't have "." immediately following "@"
    validateEmail = False
  ElseIf InStr(1, Right(sEmail, 2), ".") > 0 Then
    'String must have at least a two-character top-level domain.
    validateEmail = False
  End If
End Function

'**************************************************************************************
'* randomNumber
'* -------------------------------
'* Generate random number
'**************************************************************************************
Function randomNumber
  Randomize timer
  Dim rndNum
  ' Randomizing the timer function
  rndNum = abs(int((rnd() * 3001)))
  ' To generate a prime based, non-negative random number..
  rndNum = rndNum + 53
  randomNumber = rndNum
End Function
%>

Some comments about the code:

When the form is first requested it generates a random number which acts like a form password.

    '**************************************************************************************
    '* Generate new FORM PASSWORD value and store it in session variable
    '**************************************************************************************
    Session("FORM_PASSWORD") = randomNumber
    MESSAGE_PASSWORD = Session("FORM_PASSWORD")

This password is stored in a session variable as well as in the form as a hidden item with the same name and value, being the password itself.

  '**************************************************************************************
  '* Store the FORM PASSWORD session value in MESSAGE_PASSWORD variable
  '**************************************************************************************
  MESSAGE_PASSWORD = Session("FORM_PASSWORD")

      <input type="hidden" name="<%= MESSAGE_PASSWORD %>" value="<%= MESSAGE_PASSWORD %>" />
 

When the form is submitted the session value and form value is compared, and if they match then the form is processed.

      if CInt(Request(MESSAGE_PASSWORD)) = CInt(MESSAGE_PASSWORD) then
        '**************************************************************************************
        '* Insert code here to post the message
        '* Eg. Insert message in a database or send message to your email address 
        '**************************************************************************************

        Response.write "Your message was sent to us successfully. We will respond to you within 24 hours of receiving this message."
        message = ""
      end if

That’s it! Happy coding!