First, a few words on some validation issues regarding the input from the users.The necessity itself of this type of solutions is unnatural because it is determined by some users’ malicious need of infiltration in a website’s database or of excessively sending what we all know as spam. Regarding the minimum protection existent in asp net applications, we know that someone generally can’t send malicious scripts right on the server because of each page’s validation of the request. So it will rather generate the already classic runtime error: A potentially dangerous Request.Form value was detected…

In practice, any input from the user must be considered wrong or with malicious intent and different validation measures must be implemented. When providing the possibility for the users to send their feedback, you should expect many attempts to send spam from different users, more or less human. Well, what I wanted to say here is that few will stay and try to send a bunch of stuff on hundreds of sites, including yours; so one will try to write scripts and bots that search for sending forms on different websites and use them to reach the server. Even if your page is very well protected with validator controls or with javascript functions, and even if the ValidateRequest property of the page is kept set on true, a not very complicated script can bypass this measures of validation and try to send stuff. It will generate the error related to a potentially dangerous request – one that includes scripts and / or HTML code. There is the possibility to disable ValidateRequest property, but in some cases might be too risky, for example if you need to do that in a master page. Here comes the part when we can resort to a Captcha control. This is a famous and pretty efficient way of differentiating the real user from a bot trying to send stuff on your site, and significantly reduce the amount of spam sent to your server.

Now, a short review of the steps for implementing a nice Captcha validation.Include on the page to be submitted a simple HTML image <img>. This object’s src property will receive the name of a new page, let’s call it Image.aspx. In order for this to work, you’ll have to change the response type of this page to image/jpeg. In the code behind page will be, as you have expected, the code for creating the captcha object.

A nice way to get the code for the captcha image is to generate a new global unique identifier and extract a 6 characters string from it. You can store the code in a session variable and call it when you have to create the captcha image (check if the session variable is not null).

The captcha image is generated from a separate class. You can use the objects from the framework’s Drawing class to generate it. The constructor of the class can take the following arguments: the code string, the width and the height of the image and optionally the family of the font. The method that generates the image first creates a Bitmap object, then, based on the bitmap, a Graphics object and Rectangle where we can draw the background and the text. Before putting the text onto the background, make sure the size of the font doesn’t cause an exceeding of the rectangle’s border. Also important here would be the creation of a new path using the text and warp it randomly, to add a note of distortion to the text. Optionally we can add some random noise to the final image. Finally, we return the bitmap object representing the captcha image with the public property of the class, image.

And there you go. You have a nice validation element on your form that will reduce the spam and help you stop the unnecessary information from being sent to your server.