[Looking for Charlie's main web site?]

Want to simplify your Blogcfc (or other Lyla-based) captcha? Here's the XML file.

Note: This blog post is from 2006. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Want to simplify your BlogCFC (or other Lyla-based) captcha? Just grab this updated xml file:

right-click and save this updated xml file

If you're using BlogCFC, you can just drop it into your /blog/client/includes directory (saving your old one to restore if needed, and you may need run the query string option "?reinit=1" to reload blogCFC settings.)

This will instantly your captcha will change from this:

to this:

I've confirmed that the original captcha.xml is the same between releases 5.005 and 5.5 beta 1, where Ray is now including the changed XML file himself in the product itself.

For those curious about what I mean by "simplifying", a few weeks ago I wrote an entry explaining how you could simply your Captcha to just a couple of letters, with a much easier read background and format. I also proposed why I think it's ok. We bloggers don't need to keep out really determined hackers (with a double-keyed deadbolt lock), we just need to keep out the annoying pests (with a screen door).

Since that post, many bloggers have indeed taken up the suggestion, but I have seen blogs where some commenters have pointed our my older entry, with the blogger's saying, "I do plan to get to it". That other entry offered the specific steps to change the captcha.xml file, but if you haven't changed it yourself since implementing BlogCFC, just drop this in. Of course, if you want to do a comparison to make sure, there are lots of good compare tools. My favorite is BeyondCompare.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
I know I'm one of those who said "I gotta simplify captcha" (Just yesterday when I upgraded BlogCFC to whatever the current is). Thanks for the file.

I use WinMerge ( http://winmerge.org/... ), which is free but will have to check out Beyond Compare too.
# Posted By Jeff Houser | 10/8/06 12:16 AM
WinMerge is your friend.....
I just updated the whole of my blog from 5.0 to 5.5 doing compares between the key files to make sure I kept my information but included any new fields.

If you want a captcha that isn't quite so simple I did a post a couple of weeks ago. http://nil.checksite...

Oh and, Charlie, your comments are working fine now after the hiccup the other week.
# Posted By Stephen Moretti | 10/9/06 6:37 AM
Thanks guys. Steve, sadly, we can't declare victory. I am receiveing report of the captcha failing for at least one person even this morning so am investigating.
# Posted By Charlie Arehart | 10/9/06 10:46 AM
Charlie, Just wanted to first thank you for providing this...but then offer a warning. I have had it in place on my blog for about a month or so, and I have seen a significant uptick in spam comments since. I am not sure how they are accomplishing it, though many seem potentially manual, but I went from no spam comments to a few a day after simplifying. I suppose it is a matter of what level of annoyance I am willing to put up with in favor of making it easier for my users to participate.
# Posted By Brian Rinaldi | 12/13/06 10:49 AM
Wow, that's indeed a bummer to hear, but good feedback. Just to clarify, the earlier entries (linked to above) explained exactly what handful of changes I made in the XML file. One can certainly dial some back toward the defaults to see what the impact is on spambots. Naturally, the manual ones can't be stopped in any case.

Actually, your note here reminds me that I did see a slight uptick in any spam recently, so I dialed things back just a little bit (as some will have noticed in my captcha shown when entering comments below). Here are the settings I changed to:

   <config name="useOvals" value="true"/>
   <config name="ovalColor" value="light"/>
   <config name="minOvals" value="5"/>
   <config name="maxOvals" value="10"/>
   <config name="useBackgroundLines" value="true"/>
   <config name="backgroundLineColor" value="light"/>

I'd not yet posted about that or offered a revised captcha.xml file, but your note here has reminded me that it's been a couple weeks since I changed it, and so far so good. Would you be interested in trying this "middle ground"? :-) I'd be interested if it might help you or anyone else who thinks to write.
# Posted By Charlie Arehart | 12/13/06 11:11 AM

Thats looks distinctly like my setting Charlie. ;oD
# Posted By Stephen Moretti | 12/13/06 1:41 PM
That would be a total coincidence, honestly. :-) I just looked over the settings and changed a few till I found something that seemed a little more random (to challenge bots) while not beeing too difficult to read (to benefit readers). Hopefully it's a happy medium.

The more important point for readers here is that if you're happy with the setting, it's confirmation that it's a good ant-spam variant. Hope it helps Brian in particular. If I get more confirmation, I'll change the file that I offer in the download via the link above.
# Posted By Charlie Arehart | 12/13/06 3:11 PM
Thanks Charlie! I went ahead and plugged those new values in. I will let you know what I find.
# Posted By Brian Rinaldi | 12/13/06 3:47 PM
Charlie, I really need help. The last couple of days have reminded me of my own coding limitations.

The following code, run from the root, creates a captcha image in the directory images/captcha as expected:

<cfset variables.captcha = application.captcha.createHashReference() />
<cfset variables.captcha = application.captcha.createCaptchaFromHashReference("file",variables.captcha.hash) />

Lyla Captcha is normally initialized in Application.cfm and everythinf is well.

Now, if I try to run the same code one level down in the subdirectory "remote", first it doesn't find the application.captcha any more. OK, I reinitialize Captcha:

<cfset lylaFile = "./../includes/captcha.xml">
<cfset application.captcha = createObject("component","org.captcha.captchaService").init(configFile="#lylaFile#") />
<cfset application.captcha.setup() />
<cfdump var="#application.captcha#">
<!--- ok, all well up to here --->

<cfset variables.captcha = application.captcha.createHashReference() />
<cfdump var="#variables captcha#">
<!--- good also up to here --->

<cfset variables.captcha = application.captcha.createCaptchaFromHashReference("file",variables.captcha.hash) />

but it bombs running this line located in "org\captcha\captchaService.cfc":
<cfset stream = createObject("java", "java.io.FileOutputStream").init(tempFileLocation) />
with the error: "Object Instantiation Exception."

I have just no more noobe pride left. Please help.
# Posted By Walter Conti | 6/30/07 5:30 PM

I'm sure Charlie will respond soon.

It seems to me that there is something amiss if the application variable isn't available in the subdirectory. All your other problems stem from that. Here are a few things to check:

a) Did you give the Application a name? It may cause odd behavior if you don't.

b) Does the subdirectory Application.cfm include the top level Application.cfm? Does the Application.cfm in the root directory have the same name as the Application.cfm in the subdirectory?

c) If you don't need an Application.cfm in the subdirectory, don't put one there. CF should automatically go up a level and run the Application.cfm in the parent.

I'm not sure why the createObject would work in the root directory, but not the subdirectory. Perhaps there is a security sandbox involved.
# Posted By Jeffry Houser | 7/1/07 12:22 AM
Walter, , I can't think of anything readily over what Jeff has proposed. If that doesn't get you closer, I think it may be best to run this by Peter Farrell (http://lyla.maestrop...), who created Lyla Captcha. The other faqs there may also be useful for you.
# Posted By Charlie Arehart | 7/2/07 11:26 PM
In a strange way, that's kinda poetic, isn't it?
# Posted By Cliff Pearson | 8/28/08 8:08 AM
Cliff, I had deleted the spam message before reading yours. I always do delete them, but since your comment would then linger there curiously to later readers, I wanted to explain that.

So, as for the spam comments, and the quip about how poetic (or perhaps ironic) that they should show up on a blog entry about simplifying captchas, I really do want to respond. I realize you may not have been making an acerbic comment, but some may still feel that way, and that it's therefore irresponsible to be calling for simpler captchas, when they could make spamming easier.

Here's the thing: I really don't think my simpler captcha increases the chance of spamming. My sense from analyzing both the pattern of spam and the details of the spam suggest that it's not from automated bots, that are somehow "getting by" the simpler captcha.

Rather, it seems to be people hand-typing their comments. They have an economic interest to get their comments (with references to their URL either in the comment or by the display of the URL meant to point back to the commenter's blog or web site) onto the site. They hope it will increases their link-back value in search engines. It's a sad state of affairs, but there it is.

As such, they're really motivated, even to pay people to enter comments on entries they think are popular enough to increase their link value. So if the captcha were more difficult, they'd just deal with that and type it manually, and the spam would still come through. But all my other readers would then also have to deal with the more difficult captcha. That's just not a fair trade, I don't think.

As I've said throughout this series (now a couple of years ago since I wrote it), I just don't regard captchas as a way to keep all spam out. It's just not possible. I regard it (even these simple ones) as simply a way to make it at least hard for spammers to automate the process. They'll still get in manually if they want to, with a hard or a simple captcha. So I just delete them when I get them (a few per week). (I wish other bloggers would do the same. I hate to see good comments lost in a sea of crap.)

If I get too many spam comments for an entry, I then also stop permitting comments on that entry (especially if it's an old entry), figuring that somehow it's become popular enough with spammers for them to target it.

This is, in fact, now one of those entries. I had just turned off commenting for it after getting emailed with the last spam comment, but when I then saw your note, I wanted to offer this last comment. I will now shut the door. :-)

I realize there's a pain in that you or someone else may want to respond to this comment in particular, but really, the other entries and the comments that have been made there have really made all the points that need to be made. Folks can disagree with me on my feeling about captchas. Let's leave it at that.

I'll just take consolation (and some satisfaction) in the fact that Ray (with BlogCFC) and others are now distributing their apps (which use Lyla captcha) to use the simpler form of captcha by default. To me, the benefit to so many readers to have easier captchas is great, and I accept the slight cost to bloggers who may then want to go in and increase the complexity of their captchas. :-)
# Posted By Charlie Arehart | 8/28/08 10:26 AM
Copyright ©2022 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting