coldfusionJedi

<cfset showForm = true>
<cfparam name="form.name" default="">
<cfparam name="form.comments" default="">

<cfif isDefined("form.send")>
	<cfset errors = "">
	
	<cfif not len(trim(form.name))>
		<cfset errors = errors & "You must include your name.<br />">
	</cfif>

	<cfif not len(trim(form.comments))>
		<cfset errors = errors & "You must include your comments.<br />">
	</cfif>
		
	<cfif errors is "">
		<!--- do something here --->
		<cfset showForm = false>
	</cfif>
	
</cfif>

<cfif showForm>

	<cfoutput>
	<p>
	Please fill the form below.
	</p>
	
	<cfif isDefined("errors")>
	<p>
	<b>Correct these errors:<br />#errors#</b>
	</p>
	</cfif>
	
	<form action="#cgi.script_name#" method="post" >
	<table>
		<tr>
			<td>Name:</td>
			<td><input name="name" type="text" value="#form.name#"></td>
		</tr>
		<tr>
			<td>Comments:</td>
			<td><textarea name="comments">#form.comments#</textarea></td>
		</tr>
		<tr>
			<td> </td>
			<td><input type="submit" name="send" value="Send Comments"></td>
		</tr>
	</table>
	</form>
	</cfoutput>
	
<cfelse>

	<cfoutput>
	<p>
	Thank you for submitting your information, #form.name#. We really do care
	about your comments. Seriously. We care a lot.
	</p>
	</cfoutput>
	
</cfif>

<cfimage action="captcha" width="300" height="75" text="paris">

<cffunction name="makeRandomString" returnType="string" output="false">
	<cfset var chars = "23456789ABCDEFGHJKMNPQRS">
	<cfset var length = randRange(4,7)>
	<cfset var result = "">
	<cfset var i = "">
	<cfset var char = "">
	
	<cfscript>
	for(i=1; i <= length; i++) {
		char = mid(chars, randRange(1, len(chars)),1);
		result&=char;
	}
	</cfscript>
		
	<cfreturn result>
</cffunction>

<cfset captcha = makeRandomString()>
<input type="hidden" name="captchatext" value="#captcha#">

<cfset captcha = makeRandomString()>
<cfset captchaHash = hash(captcha)>

<tr>
	<td>Enter Text Below:</td>
	<td><input type="text" name="captcha"></td>
</tr>
<tr>
	<td colspan="2">
	<cfimage action="captcha" width="300" height="75" text="#captcha#">
	<input type="hidden" name="captchaHash" value="#captchaHash#">
	</td>
</tr>

<cfif hash(ucase(form.captcha)) neq form.captchaHash>
	<cfset errors = errors & "You did not enter the right text. Are you a spammer?<br />">
</cfif>

<cffunction name="makeRandomString" returnType="string" output="false">
	<cfset var chars = "23456789ABCDEFGHJKMNPQRS">
	<cfset var length = randRange(4,7)>
	<cfset var result = "">
	<cfset var i = "">
	<cfset var char = "">
	
	<cfscript>
	for(i=1; i <= length; i++) {
		char = mid(chars, randRange(1, len(chars)),1);
		result&=char;
	}
	</cfscript>
		
	<cfreturn result>
</cffunction>

<cfset showForm = true>
<cfparam name="form.name" default="">
<cfparam name="form.comments" default="">
<cfparam name="form.captcha" default="">
<cfparam name="form.captchaHash" default="">

<cfif isDefined("form.send")>
	<cfset errors = "">
	
	<cfif not len(trim(form.name))>
		<cfset errors = errors & "You must include your name.<br />">
	</cfif>

	<cfif not len(trim(form.comments))>
		<cfset errors = errors & "You must include your comments.<br />">
	</cfif>

	<cfif hash(ucase(form.captcha)) neq form.captchaHash>
		<cfset errors = errors & "You did not enter the right text. Are you a spammer?<br />">
	</cfif>
		
	<cfif errors is "">
		<!--- do something here --->
		<cfset showForm = false>
	</cfif>
	
</cfif>

<cfif showForm>

	<cfset captcha = makeRandomString()>
	<cfset captchaHash = hash(captcha)>

	<cfoutput>
	<p>
	Please fill the form below.
	</p>
	
	<cfif isDefined("errors")>
	<p>
	<b>Correct these errors:<br />#errors#</b>
	</p>
	</cfif>
	
	<form action="#cgi.script_name#" method="post" >
	<table>
		<tr>
			<td>Name:</td>
			<td><input name="name" type="text" value="#form.name#"></td>
		</tr>
		<tr>
			<td>Comments:</td>
			<td><textarea name="comments">#form.comments#</textarea></td>
		</tr>
		<tr>
			<td>Enter Text Below:</td>
			<td><input type="text" name="captcha"></td>
		</tr>
		<tr>
			<td colspan="2">
			<cfimage action="captcha" width="300" height="75" text="#captcha#">
			<input type="hidden" name="captchaHash" value="#captchaHash#">
			</td>
		</tr>		
		<tr>
			<td> </td>
			<td><input type="submit" name="send" value="Send Comments"></td>
		</tr>
	</table>
	</form>
	</cfoutput>
	
<cfelse>

	<cfoutput>
	<p>
	Thank you for submitting your information, #form.name#. We really do care
	about your comments. Seriously. We care a lot.
	</p>
	</cfoutput>
	
</cfif>

This entry was posted on Thursday, February 28, 2008 at 11:36 AM. It was filed in the following categories: ColdFusion. It has been viewed 8,536 times and has 50 comments.

TweetBacks

Comments

[Add Comment] [Subscribe to Comments]

• Comment 1 written by Will on 29 February 2008, at 7:32 AM

  

  Hey Ray, we are trying to use a CAPTCHA in our application but for various reason we are writing the file to a location before using it on screen. Most CF tags that give an option to display something or write to a destination, do one OR the other. It seems with cfimage and CAPTCHA, even if you specify a destination attribute it ALSO tries to write it to the browser. For example, if I put destination="c:\image.jpg", it writes the file to the c drive then renders <img src="c:\image.jpg"> in the final HTML. Not at all what I would expect from the documentation or past experience with other CF tags. Would you consider that normal behavior or a bug?

• Comment 2 written by Raymond Camden on 29 February 2008, at 8:18 AM

  

  Confirmed. You can fix this by wrapping the tag in cfsavecontent. That will suppress it. I'm filing a bug report now.

• Comment 3 written by Will on 29 February 2008, at 8:34 AM

  

  Thanks, Ray - for both the fix and filing the bug. You're a life saver!

• Comment 4 written by Bob on 6 May 2008, at 9:49 AM

  

  Very helpful.
  May I ask why you use the ucase function when validating in this line:
  
  <cfif hash(ucase(form.captcha)) neq form.captchaHash>
  
  Thanks.

• Comment 5 written by Raymond Camden on 6 May 2008, at 10:00 AM

  

  I've had issues with case and hashes before, so this just removes it.

• Comment 6 written by Nate on 8 May 2008, at 5:34 PM

  

  Occasionally the captcha image has an icon character in it, like a skull and crossbones or the international "rewind" symbol (like <<). Is there a way to restrict it to just numbers and letters? I don't expect my site users to know the hotkeys for dingbat symbols, etc. :-)
  
  I put an example up at http://www.centralscene.com/captcha/captcha.png (keyboard icon).
  
  Thanks for the great example, and the help!

• Comment 7 written by Raymond Camden on 9 May 2008, at 8:36 AM

  

  @Nate:
  
  You can control the text since - well - you have to. But what you are seeing is the font being one of the symbol fonts. CF's captcha support lets you specify fonts. I didn't do that in my example as I wanted the code to work on both Macs and Windows machines. In a real production environment you would want to specify a few fonts that you know folks can read.

• Comment 8 written by Eric on 9 August 2008, at 3:02 PM

  

  Working on adding this to my website, but I get an error on the random character generator script.
  
     <cfscript>
     for(i=1; i <= length; i++) {
        char = mid(chars, randRange(1, len(chars)),1);
        result&=char;
     }
     </cfscript>

• Comment 9 written by Raymond Camden on 9 August 2008, at 3:24 PM

  

  Eric - are you sure you are using CF8? What error do you get?

• Comment 10 written by Radek on 22 September 2008, at 5:53 PM

  

  Hi I tried this and it works great, the problem what I have is I have CF 7 and want to make it work but of course it is throwing an error about the cfscript, is there a way or something to make it workunder CF 7?

• Comment 11 written by Raymond Camden on 22 September 2008, at 7:58 PM

  

  Change the <= to lte.

• Comment 12 written by farshid on 13 October 2008, at 2:14 AM

  

  Thanks a lot Raymond,
  
  Your solution is very user friend and cool,
  
  Good luck in your life,

• Comment 13 written by Mike Pacella on 12 January 2009, at 1:12 PM

  

  Ray,
  
  Excellent post. I used a lot of your code as the basis for my captcha functionality.
  
  One comment, though. What about the problem of a user who submits 1 for your form.captcha field, and then the hash of 1, (which is c4ca4238a0b923820dcc509a6f75849b) for the form.captchaHash field? Way to easy to break that IMO.
  
  In order to fix this, one thing we've done is concatenated a secret suffix to the captcha text before hashing it. For example:
  
  Let the secretSuffix = "iHateRobots".
  Let the randomly generated string = "ABCDE";
  
  We would now hash ("ABCDEiHateRobots") and store that in the form.captchaHash field. When checking for validity simply:
  
  Let the user input = "ABCDE";
  
  Hash the userInput & secretSuffix, check against your form.captchaHash field, and this will protect you against that basic CAPTCHA bypass.
  
  With all of that having been said, this post is excellent and superbly captures the basics of creating a captcha. Nice job, and thanks again for the post!
  
  - Mike

• Comment 14 written by Raymond Camden on 12 January 2009, at 1:21 PM

  

  Mike, nope, that is precisely the biggest issue with my code here (and I think someone may have raised it already). What you are doing is referred to as adding a salt (I believe) and would be a smart idea. You could store that salt in the session which is another way to help block a robot as they will not (normally) have a session. You would want the salt to be random as well. Ie, onSessionStart, session.salt = random.

• Comment 15 written by Mike Pacella on 12 January 2009, at 3:08 PM

  

  Even better! Random session salt versus one globally concatenated suffix would work perfectly for us. So simple, yet so very powerful. Thanks again, and keep up the great posts!

• Comment 16 written by Beaglis on 14 January 2009, at 1:39 PM

  

  captcha doesn't display in Palm Blazer v4.5 (Treo 700p). Anybody have any experience with this issue?

• Comment 17 written by Beaglis on 14 January 2009, at 2:04 PM

  

  I found out the problem with Captcha and Blazer. CFimage generates a PNG file that has 'layers'. If I open the generated captcha image in photoshop and the 'flaten' the image and get rid of the layer and then re-save, then I can view the image in Blazer.
  
  Anyone know how to make CF generate a captcha png without layers? Or some workaround to this?
  
  Thanks.

• Comment 18 written by Beaglis on 14 January 2009, at 2:32 PM

  

  I found a workaround...
  
  I save the captcha to a destination (use cfsavecontent as mentioned above), then I convert the image format to jpg, then I display the image with IMG tag.
  
  Converting to JPG removes the layers.

• Comment 19 written by levensok on 21 January 2009, at 5:37 PM

  

  This was an excellent tutorial! I did have one problem with implementation. The captcha cfimage displays fine for about 5 minutes after restarting the app server, then intermittantly will not display unless the page is refreshed a bunch of times. Here's my example:
  
  http://v3.lightspeedvt.net/ebay_reg/register.cfm
  
  If you refresh the page a few time, the captcha image will by displayed and then broken seemingly at random.

• Comment 20 written by Raymond Camden on 21 January 2009, at 7:59 PM

  

  I wonder if it is a bad font? If you did not specify the fonts attribute, the font is going to be random. So maybe specify a font that works, and see if it works well 100% of the time.

• Comment 21 written by Andrew on 6 February 2009, at 6:47 AM

  

  Seems like 'levensok' gave up, example url does not have captcha on it any more.

• Comment 22 written by Geoff on 18 February 2009, at 6:14 PM

  

  In addition to the server side checks on the captcha you can use javascript on the client side to check it before allowing submission of the form. There are two hashing libraries for JS available, at least. I'm using SHA-256 in CF and the JS library that offers the same.
  
  This has the advantage of alerting the user before submission that they've got it wrong, which is less stressful than waiting for a response to find out and having the characters change all over again.
  
  It's not going to do much in the way of preventing brute force attacks etc as they'll be posting direct, but it does mitigate some of the negative effects on the user.

• Comment 23 written by Lucas Sá on 12 March 2009, at 4:11 PM

  

  I guess this is not a good method to block flooders. Indeed, it could block a spammer bot if the process doesn't start by a human. For example, if a man read a captcha, he (actually his robot) will be able to post as many things as he want (including in other resources that requires the same captcha), since the code has the Hash in a input hidden, so he could use the same hash (which he knows the captcha) for every post.
  
  A good solution would be save the hash in Session scope, but it has its limitations. It impedes the user to access two pages that requires captcha simultaneously, once the first captcha would be "nullified" by the second.
  
  In this case, I would suggest a mix between both solutions, creating an associative array (map, or a structure in the case of CF) of captchas generated for that user and store it in Session scope with the hash and the value of captchas. Also, put the hash in a hidden field as in this example and verify that hash in the "table" of captchas when user submits. If captcha matches the hash, delete its array register.

• Comment 24 written by Sam on 27 May 2009, at 5:46 AM

  

  Has anybody thought about taking this a step further with regards to accessibility?
  
  Standard captcha will cause problems for the blind and partially sighted. There is some good information about this on the W3C website;
  http://www.w3.org/TR/2005/NOTE-turingtest-20051123...
  
  Although these users make up a very small percentage of our visits, some websites need to incorporate alternatives to meet guidelines and to ensure nobody is excluded.
  
  I have not seen an example yet of anybody using text to speech with coldfusion.
  
  Your thoughts and ideas?

• Comment 25 written by Raymond Camden on 27 May 2009, at 7:19 AM

  

  There is a Java project, FreeTTS, that could work. I'm looking at this today.

• Comment 26 written by peters on 3 June 2009, at 8:45 AM

  

  Why dont we use encrypt and decrypt ?

• Comment 27 written by Ron on 12 June 2009, at 9:39 AM

  

  I am randomly getting an error when the page first loads.
  
  "Cannot find the config file. configFile=..."
  
  If you refresh the page, then it's fine, but its the initial load of the page.
  
  Other than that, great script!

• Comment 28 written by Raymond Camden on 12 June 2009, at 10:07 AM

  

  Um, what configFile? My demo here doesn't make use of it. Are you using my code here?

• Comment 29 written by Ron on 12 June 2009, at 10:26 AM

  

  Oh wow! Thanks. That made me go back and compare code. It's a leftover from the previous captcha script I was using before I found yours.
  
  Thanks for straightening me out.

• Comment 30 written by Sam on 15 June 2009, at 7:09 AM

  

  Ray,
  
  Did you have any success with the FreeTTS?

• Comment 31 written by Raymond Camden on 15 June 2009, at 8:30 AM

  

  Yep: http://www.coldfusionjedi.com/index.cfm/2009/5/29/...

• Comment 32 written by Jeff on 23 June 2009, at 9:49 PM

  

  Hey Ray,
  
  Thanks for the post. Works great!
  
  I find the captcha to always be legible but, is there a simple solution to provide a refresh link that doesn't clear the filled form fields?

• Comment 33 written by Sam on 24 June 2009, at 2:56 AM

  

  Hi Jeff,
  
  I use a JavaScript method;
  
  <a href="javascript:location.reload(false)">Refresh</a>
  
  You can see this in action here;
  
  http://www.stratford.gov.uk/labs/feedback/thickbox...
  
  Hope this helps!
  
  Sam.

• Comment 34 written by Sam on 24 June 2009, at 3:04 AM

  

  I've realised the method I described above will not work in IE... the location.reload acts just like a browser refresh and IE will clear out the form fields annoyingly!
  
  Thinking caps back on!

• Comment 35 written by Jeff on 24 June 2009, at 2:41 PM

  

  Thanks Sam! I have another question to all... Is there a simple way to add email validation to this form? I like the idea of not using JavaScript to handle error messages but and pretty new to CF. I am using the code pretty much as is above and noticed that as long as the field isn't empty any value can be passed. Any help is appreciated.

• Comment 36 written by Ron on 24 June 2009, at 3:01 PM

  

  Add this to the <cfif isDefined("form.send")>
  
  <cfif not len(trim(form.email)) or not isValid("email", form.email)>
  <cfset error = error & "Please include a valid email address!<br>">
  </cfif>

• Comment 37 written by rencontres on 24 June 2009, at 3:12 PM

  

  nobody answered me about encrypt and decrypt why don't we use them to pass the captcha ? it looks better than hash

• Comment 38 written by Jeff on 24 June 2009, at 3:35 PM

  

  Thanks for that solution Ron! Worked like a charm!

• Comment 39 written by Holly Jones on 7 July 2009, at 11:01 AM

  

  Thanks for the example!

• Comment 40 written by Jeff on 7 July 2009, at 5:07 PM

  

  I need some help! I had this working fine and now it's just not working. After filling in the form, the form is still visible and the text "Correct these errors" is still showing with no error messages. I am using the code exactly as is. Does anyone have any ideas? Here is the site:
  
  http://www.overdriveevent.com/contact-us.cfm
  
  Thanks!

• Comment 41 written by Raymond Camden on 7 July 2009, at 5:09 PM

  

  I don't believe you are using the code exactly as is. I bet you are missing:
  
  <cfif errors is "">
  <!--- do something here --->
  <cfset showForm = false>
  </cfif>
  
  
  or you are missing the <cfif showForm> aroudn the form.

• Comment 42 written by Mike H on 9 July 2009, at 7:48 AM

  

  I think levensok's issue might have been with load balancing. cfimage writes the image to disk before displaying it. This means the image could be written to one server but the second server is trying to display it which obviously won't work. It seems the only way to solve this is to use sticky sessions, which is not an option for me. I guess I could use a folder that all the servers have access to but then I need to deal with the cleanup. Not an option I'd like to use. Has anyone else figured out a way around this?

• Comment 43 written by Raymond Camden on 9 July 2009, at 7:58 AM

  

  Unfortunately there is no easy way. The captcha form of cfimage handles both randomly placing the text, saving the file, and generating HTML. You can't make it not do the HTML.
  
  You can, of course, make your own image, but then you need to be responsible for adding the text yourself (which means picking the random font, position, etc).

• Comment 44 written by Jackie on 14 September 2009, at 9:19 AM

  

  I'm trying to use the captcha with CF8, but the hashed value for the form.captcha is different from the from to the submit side of the script, thus, the submit fails every time. What gives? Does nobody else have this problem?

• Comment 45 written by jason on 27 October 2009, at 9:04 AM

  

  I'm trying to implement this but am having problems.. my image is not showing up. I stripped it from my code and posted your code from the example above verbatim and the image shows broken... when I look at the properties... i see the image as
  
  mydomain.com/CFFileServlet/_cf_captcha/_captcha_img-1287068910168207643.png
  
  Is this a server setting that is incorrect? While I'm pretty good at coding CF.. I'm a bit clueless when it comes to server settings like this. I am using CF8 as well.
  
  Thanks and great tutorial... Nice an easy... I just need to get mine to work!

• Comment 46 written by Raymond Camden on 27 October 2009, at 9:05 AM

  

  Capcha's make use of a dynamic image hosted directly by the CF server, so yes, that image does make sense. Can you share your code, and the URL if it is on a public server?

• Comment 47 written by jason on 27 October 2009, at 9:16 AM

  

  Ray,
  My code is the EXACT code, with nothing else on it as your page above...
  I just turned on robust reporting and see it's messing with one of my components it seems. I'm even more lost now that I see the error.. it's usually opposite!
  
  The sample form is located at:
  http://www.hermanscentral.com/rfq/index3.cfm
  
  I GREATLY appreciate the help

• Comment 48 written by Raymond Camden on 27 October 2009, at 9:24 AM

  

  Looks like something not configured right. Do you have a 404 handler for the server? Disable it - just temporarily - and see if that corrects it.

• Comment 49 written by jason on 27 October 2009, at 9:46 AM

  

  I'm sorry I wasn't clear.. I had said I already cleared out my custom 404.. so in cf admin on Missing Template Handler and Site-Wide Error Handler I have nothing entered. I did have a custom 404 that cleans misc strings and such.. and then attempts to find products or departments related and serve up a related result for 404s....
  
  Turns out this was triggering the custom 404.cfm BUT on removing that 404.. (just removing all fancy code and putting 404 on that 404.cfm) the image still doesn't pop up.
  
  Any other ideas?

• Comment 50 written by jason on 27 October 2009, at 11:14 AM

  

  Ray - Thanks again for your help.. for those that come across the same issue.. it was a matter of mapping a virtual directory..
  
  so create a virtual directory called CFFileServlet
  Map it to (your coldfusion install) / tmpCache/CFFileServlet and there you have it.
  
  You rule an thanks for the tutorial!

[Add Comment] [Subscribe to Comments]