Wednesday, 28 December 2011

ASP: simple CAPTCHA method


I'm sure you know what CAPTCHAs are. They usually are not very welcomed when filling in a form, but the idea behind them is to at least reduce the possibility of automatic non-human procedures submitting the form itself. The main point is to recognise if who or what is submitting a request is really a human or not.

The solution I'm presenting here is very simple and it is not unbreakable. Infact, today we surely need a highly sophisticated CAPTCHA procedure in order to be completely sure of its effectiveness.
On the other hand, we can use the solution here presented whenever we need a little bit more security.
We are going to use ASP and GUIDs (Globally Unique Identifier).

Follow me, please.
A GUID is a 16-byte string which is unique. We have seen how to create unique identifiers with SQL, and today we are basically doing the same without SQL.
GUIDs are very useful and they can be used in various situations. For instance, we can  use them in order to create temporary folders on the server. Or maybe, when suggesting strong passwords in a registration form.
In our example we are going to use GUID in order to create an 8 characters long string to be used in a CAPTCHA system.

The ASP part
The asp part of the example is quite simple:
GUID = Server.CreateObject("Scriptlet.Typelib").GUID
GUID = Replace(GUID, "{", "")
GUID = Left(GUID, 8)
We basically create a GUID using the Scriptlet.Typelib object.
We then remove the { at the beginning of the resulting string.
Finally we consider only the first 8 characters (we can obviously decide to use longer or shorter CAPTCHAs... it's up to you).

In the form, we now need to show the CAPTCHA. In order to protect it a bit, we are going to show the GUID inside an input box which will be protected and disabled. That will prevent the possibility of selecting the text inside the input box.
<input name="guid" type="text" disabled id="guid" value="<%=GUID%>" size="8" maxlength="8" readonly="true">
Further considerations
It is clear that the above method can't be considered completely secure. It is no coincidence if advance CAPTCHA systems use images and not text. That is because, for example, text is easily readable from the code view of the page. Sophisticated (or not so much sophisticated) automated software can easily bypass such CAPTCHA systems, as you may understand.
So, please, consider the above as a very simple implementation of CAPTCHAs, and not a completely secure one.

If you've found other and possibly more secure CAPTCHA systems, please share your ideas using the comments section below.
In the meantime, have a splendid day.


  1. Hi Marco,

    you can also use reCAPTCHA from Google. Visit the link for more info:

  2. Thank you! I think that might interest others...


Comments are moderated. I apologize if I don't publish comments immediately.

However, I do answer to all the comments.