Implementing a naive captcha in BlogEngine.NET

4 Oct 2009 Keith Ratliff went to the very involved work of converting BlogEngine's comment submission process from JavaScript-centric to postback and standard ASP.NET validation, thereby enabling a more or less drag and drop installation of reCAPTCHA. Hooray Keith! Fantastic work. See that post instead.

A couple years ago Mad Kristensen implemented an invisible captcha into BlogEngine.NET, but as my blog attested to, this is not enough.

Instead of inconveniencing readers with a captcha, you can use your own clever validation trick. The more unique it is, the less likely it will be automatically discovered and circumvented. When it is, you need a new trick.

A naive captcha is basically a captcha that's always the same image, and works off of the principle that your site isn't important enough for spammers to manually specify (how cheerful!), but if it's good enough for Coding Horror it's good enough for me.

Of course being an image itself resists the automated discovery of this particular trick, and if it is discovered, manually or otherwise, it's easy to change the image (it doesn't even have to be of text).

Implementing my own naive captcha here has been quite effective so far. My next step may be Akismet for manually entered spam.

Implement your own

The patched (against vanilla BlogEngine.NET 1.4.5) files are available. For making the change to your existing and customized blog, take a look at this comparison courtesy of Beyond Compare 3, or view the compact version below; this post needed some color.

You'll want to change the paths and formatting in CommentView.ascx to suit your liking, also the word "chicken".

Oh, and don't forget that my code sucks. Someone please be my guest and make this a properly coded BlogEngine.NET extension. My first attempt was with the strictly-server-side RegularExpressionValidator control you see commented out below, which I couldn't get to work, so I used existing mechanisms instead.

Modified (check margin) lines are in red. Unimportant differences are in blue (mostly, the JavaScript isn't truly commented). The rest is context.