CAPTCHA, Swordplay, and the Importance of Meaning

your code does not mean what you think it meansOne of the websites I’m supporting (as written with Somebody Else’s Code™) has a CAPTCHA code block on the Contact page. This gives you that stupid graphic with weird letters that you have to enter correctly to prove that you’re human (or, at least, that you’re a human who can see clearly.)

Only on this site, there was still spam coming through from the Contact form.


I put on my hazmat suit and dove into the Contact page’s Coldfusion source code. (OK, maybe I didn’t suit up. But I still felt like I should have.) Right there, plain as day, was all the CAPTCHA code. Hmm… The code appears to be OK.

Fine, so I check the action page that executes the results. Ah… no. Right there is the results handler like I’d guessed, looking something like this:

IF (the captcha code is incorrect)
… display “Sorry you got it wrong” message
… use a javascript “history -1″ button to go back and try again
… process the contact form

Sure, it looked ok – it was testing the results and diverting you if you got it wrong…

Then it hit me. The previous code monkey’s logic was wrong – this wouldn’t stop the spam. Sure, if CAPTCHA failed it would throw up the back button, but it would still finish executing the code. What should have been done was to place the “process the contact form” section of code into an ELSE construct, so that it would only execute if the CAPTCHA entry was correct.

Lesson for Today

When dealing with Somebody Else’s Code™, don’t assume their logic is correct even if things seem to work ok. Inigo Montoya would agree that, regardless of the programming language (even if it’s LISP), you have to make sure the logic means what you think it means.

Because you won’t always have a pirate hero to save you…

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>