Captcha Implementation

What is a CAPTCHA?

A captcha is a technology that validates a form submission is submitted by a human. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart". This helps to prevent bots from hijacking your email forms, and we recommend using a CAPTCHA on any form located on your site or application.


ReCAPTCHA is provided by google and is regularly updated. You can find more information about this here.


Another good, free option is Securimage for PHP. This is available here.

ReCAPTCHA for ColdFusion Forms

This example makes use of the popular ReCAPTCHA, a green alternative to the standard cfcaptcha tag.

Getting Started

  1. Signup for an account at ReCAPTCHA.
  2. Provide a domain name where you’ll be using ReCAPTCHA.
  3. Create a key, for single or all domains.
  4. Click on the “ReCAPTCHA plugins and libraries”.
  5. Once there download the ColdFusion ReCAPTCHA plugin. (Alternatively, you can obtain the plugin at RIAForge).
  6. Create and place the file “recaptcha.cfm” in your custom tag folder or in the directory where the form file exists. If you need a custom tag path created, you can follow the directions here.

Please Note: We recommend creating a custom error page - this prevents errors from revealing your public and private key if there are any errors with the form.


  1. Create the form for capturing user data, such as a contact form submission.
  2. Upload your form to your hosted file directory.

Example Form

		privateKey="...your private key..."
		publicKey="...your public key..."

<!--- Heres where the email information is sent, set the TO and FROM below --->
	<cfif IsDefined("Form.oncethrough") AND #form.recaptcha# EQ "true">
		to = "[email protected]"
		from = "[email protected]"
		subject = "Form submission!" >

		Name: #form.firstname# #form.lastname#
		DOB: #form.dob#
		Address: #form.address#
		State: #form.state#
		Note: #form.note#
		IP: #cgi.remote_addr#
<!--- This information is returned to the user upon submission of the form. --->
		<cfoutput>#form.firstname#, your information was submitted successfully. We will be contacting you shortly.
		<br>Here's what we have recorded:
		<br>Name: #form.firstname# #form.lastname#
    	<br>Date of Birth: #form.dob#
    	<br>Address: #form.address#
		<br>State: #form.state#
		<br>Note: #form.note#
<!--- If the user fails to validate the cfcaptcha they will be prompted to return to the contact form. Change the file name of your contact form here if different than contact.cfm --->
	<cfelseif IsDefined("Form.oncethrough") AND #form.recaptcha# EQ "false">
		<cfoutput>Please try again. Return to the <a href=contact.cfm>Contact Form</a></cfoutput>
<!--- Start collecting the contact information in the form. --->
		<h4>Thank you for visiting our site, please fill out fully so we can contact you.</h4>
		<h4>Your IP Address #cgi.remote_addr#</h4>
    	First Name: <cfinput type = "Text" name = "firstname"
        	message = "Please enter your first name."
        	validate = "required" required = "Yes">
		<br>Last Name: <cfinput type = "Text" name = "lastname"
        	message = "Please enter your last name."
        	validate = "required" required = "Yes">
		<br>Email: <cfinput type = "text" name = "email"
        	message = "Please enter your email address."
        	validate = "email" required = "Yes">
		<br>Date of Birth: <cfinput type = "Text" name = "dob"
        	message = "Please enter your date of birth."
        	validate = "date" required = "Yes">
		<br>Phone: <cfinput type = "Text" name = "phone"
        	validate = "telephone" required = "Yes">
		<br><br><b>Your address is optional!</b>
		<br>Address: <cfinput type = "Text" name = "address"
        	required = "No">
			<br>Format: 123 Street ST, Tulsa, OK
		<br>City: <cfinput type = "Text" name = "city"
        	validate = "zipcode" required = "No">
		<br>State: <cfinput type = "Text" name = "state"
        	validate = "zipcode" required = "No">
		<br>Zip: <cfinput type = "Text" name = "zip"
        	validate = "zipcode" required = "No">
		<br><br>Have something to say? <br><cfinput type = "text" style="height: 100px;" size = "50" name = "note"
        	required = "No">
		<br><br>Check to confirm permission to contact you: <cfinput type = "checkbox" name = "contactallowed"
        	message = "Please confirm you permission to contact you."
        	validate = "required" required = "Yes">
			privateKey="...your private key..."
			publicKey="...your public key..."
		<p><cfinput type = "submit" name = "submit" value = "Submit">
    	<cfinput type = "hidden" name = "oncethrough" value = "Yes"></p>

This example collects the Name, Email, DOB, Address, City, State, Zip, Phone, Note, IP of the submitter. Some fields are optional, so if there something you do not need to collect, just remove it from between the cfform, cfmail, and cfoutput sections.

CAPTCHA Alternatives


CFFormProtect provides spam protection for forms that are invisible to the end user. More information on the project and its implementation is available at RIAForge.


PHPFormProtect implements the same form security as CFFormProtect, but is intended for PHP applications. It is available from the project’s GitHub repository.