This project is read-only.
Overview | Examples | Features | Requirements | Project | Usage | Appearance | Configuration | About Spam | External Resources | Help and Feedback


Latest Release Notes for 1.0 RTW | Latest Release Notes for 2.0 Beta

Auto-Input Protection is a highly extensible ASP.NET web control that provides CAPTCHA protection for your blogs, forums, wikis and websites, greatly reducing the likelihood of unwanted form submission from automated spam and hacks.

Getting Started: Minimal Configuration (NO AUDIO)


You can easily add the AIP web control to existing ASP.NET 2.0 and 3.5 websites and use it with minimal configuration. Check out the video for an example.

AIP 2.0 Beta works with Visual Studio 2005, 2008, and Visual Web Developer Express. The AIP web control provides design-time support in Visual Studio 2005 and 2008. The installer automatically adds the control to the toolbox and merges the AIP documentation into Visual Studio's help.

AIP works with minimal configuration. Only an HTTP request handler must be added to your web.config file and you'll be able to use the control on all of your web pages that require protection.

AIP uses a custom validator's server-side event to test user input so that if user validation fails, Page.IsValid will be false automatically.

AIP is fully extensible. You can define a custom layout template for the control and configure built-in text, image and filter providers to produce random CAPTCHAs in various formats. You can also create custom providers that generate randomized text, images and filters.


The following example uses the AIP web control with its default template and the default text and image providers (basic English and line noise, respectively).


The next example uses a custom data-bound template and various built-in providers.


The final example illustrates a random CAPTCHA that has been generated using built-in text and filter providers, and a custom image provider. (Note that a randomized cross hatch filter provider is now built-in as of 2.0 Beta.)



The AIP Web Control
  • works out-of-the-box with minimal configuration; only the Http Handler must be configured.
  • 2.0 Beta can be configured to use the ASP.NET cache or session state (useful for web farms). The web control also works with view state disabled.
  • can be used on web form and user control designers in Visual Studio.
  • can be edited in template-mode with two placeholder controls; one that provides the location of the CAPTCHA image and another provides the validation textbox. Literal content and server controls are supported in the template for complete control over its appearance.
    • Note: 2.0 Beta no longer requires placeholder controls in custom templates. Instead, you must add an Image control with an ID of Image and a CustomValidator control with an ID of Validator.
  • uses ASP.NET validation controls. Check Page.IsValid upon post-back to determine whether validation succeeded.
    • You can specify custom error messages for a validation summary. 2.0 Beta also provides properties to set in-line error messages.
    • The control in 2.0 Beta exposes a ValidationGroup property that will automatically set the ValidationGroup properties of the validator controls.
The CAPTCHA text
  • can be generated with a custom algorithm.
  • can be random, basic English words from the Ogden dictionary, which is built-in to the AIP library.
  • can be characters chosen at random from a configurable character set that includes any combination of upper-case and lower-case letters, the number zero, positive digits and pre-defined symbols.
    • The default list of characters that are excluded can be modified.
  • can be case-sensitive for validation.
  • has a random length that is configurable with maximum and minimum values.
  • has a customizable appearance, providing control over the list of sampled colors and fonts, the size range of characters, and provider-specific attributes that are all configured in the web.config file.
The AIP library
  • produces random output that can easily be configured to vary greatly in appearance between sites.
  • is extensible, using custom ASP.NET 2.0 providers to generate the CAPTCHA text and image, and to apply graphical filters.
  • has a text provider that chooses words from the Ogden dictionary.
  • has a text provider that chooses random characters.
  • has a base bitmap provider that creates a bitmap with text rendered in evenly spaced vertical partitions.
  • has a bitmap provider that renders line-noise with vertically-partitioned text.
  • has a bitmap provider that renders 1 of 5 random background images with vertically-partitioned text.
  • has a filter provider that can render randomized translucent bars, vertically or horizontally, as an overlay.


AIP only requires ASP.NET 2.0.

Install the Microsoft .NET Framework 2.0, 3.0 or 3.5 to use AIP in your web sites.


The AIP project was written, and will continue to be written, exclusively in C#.

AIP 2.0 Beta was built with C# 3.0 and Visual Studio 2008, but the compiled assembly targets the Microsoft .NET Framework 2.0.

  • Globalization
  • Community participation in the development of new image filters for CAPTCHA algorithms
If you'd like to become a team member, please contact Dave Sexton. As indicated above, anyone that can implement image filters in C# for different/better CAPTCHA algorithms would make a great addition to the team. Please mention some of your qualifications and your motivation for becoming a team member in your email.


Add the AIP web control to your web forms and an image containing random text will be generated automatically, unique to each request. Users must enter the text that they see into a textbox before submitting the form. If a user enters invalid text then Page.IsValid will be false on post-back. You can use ValidationSummary controls to display errors or set in-line error message properties on the AIP web control.

For more information please refer to the How Do I wiki.


The appearance of the AIP web control may be customized in a designer, declaratively in the HTML page or programmatically in code-behind (or code-beside).

2.0 Beta
The AIP web control is a templated control that supports complete customization of its output. All that is required is an Image control with an ID of Image and a CustomValidator control with an ID of Validator.

1.0 RTW
The AIP web control is a templated control that supports complete customization of its output using an AIP image placeholder control and an AIP textbox placeholder control, which are used to indicate where the image and textbox controls should be placed, respectively, within your custom HTML template.


AIP is configured in your website's web.config file using ASP.NET 2.0 providers. One provider generates the text, one renders the image and any number of filter providers may be configured to help randomize the output. AIP has a basic English text provider and a line-noise bitmap provider configured by default, which makes the web control usable out-of-the-box. You can create your own text, image and filter provider implementations if you have your own CAPTCHA algorithms that you'd like to use, or just configure the existing filters to customize the default output.

Example 1
This example illustrates the minimum required configuration to use the AIP web control. Add the httpHandlers registration to your web.config file exactly as it appears here:

      <add verb="GET" path="AIP.ashx"
               type="DaveSexton.Web.Controls.AutoInputProtectionRequestHandler, DaveSexton.AutoInputProtection" />

Note: An AIP.ashx file does not exist. ASP.NET routes requests to the AIP request handler automatically.

Example 2
Note that this example only applies to AIP 1.0. Refer to the 2.0 Beta documentation for 2.0 examples.

Here is an example configuration section for AIP that uses a text provider to generate random characters, the resource-based bitmap provider, the translucent bar overlay filter provider, and also adds a custom filter provider named, crosshatch:

    <sectionGroup name="dsweb">
      <section name="autoInputProtection"
               type="DaveSexton.Web.Controls.Configuration.AutoInputProtectionSection, DaveSexton.AutoInputProtection" />
    <autoInputProtection defaultTextProvider="randomtext" defaultBitmapProvider="resource">
        <add name="randomtext"
             type="DaveSexton.Web.Controls.RandomCharactersAutoInputProtectionTextProvider, DaveSexton.AutoInputProtection"
             colors="Red,Green,Blue,Brown" fonts="Times New Roman,Arial,Lucida Sans"
             minimumFontSize="20" maximumFontSize="35" />
        <add name="resource" 
             type="DaveSexton.Web.Controls.ResourceAutoInputProtectionBitmapProvider, DaveSexton.AutoInputProtection"
             minimumCharacterRotationDegrees="-15" maximumCharacterRotationDegrees="15" />
        <add name="horizontalbars" 
             type="DaveSexton.Web.Controls.TranslucentBarsOverlayAutoInputProtectionFilterProvider, DaveSexton.AutoInputProtection"
             colors="Orange,Yellow,Fuchsia" />
        <add name="crosshatch"
             type="CrossHatchAutoInputProtectionFilterProvider" />
      <add path="AIP.ashx" verb="GET"
           type="DaveSexton.Web.Controls.AutoInputProtectionRequestHandler, DaveSexton.AutoInputProtection" />

Example-CrossHatch1.jpg Example-CrossHatch3.jpg Example-CrossHatch4.jpg
Figure 1: Rendered Examples

For information on the CrossHatchAutoInputProtectionFilterProvider class, see How Do I create a custom AIP filter provider?.

Note: As of 2.0 Beta, CrossHatchAutoInputProtectionFilterProvider is built-in to the AIP library. The new implementation also provides randomization and extra options.

For information about the dsweb configuration section, see How Do I configure my ASP.NET 2.0 website to use AIP?.

Note: As of 2.0 Beta, the <dsweb> section group is no longer used. Instead, the <autoInputProtection/> section is used by itself.

About Spam

Spam is a problem. Not only is it annoying but it's also immoral, and sometimes illegal. Spammers attempt to make money at your expense or decrease the value of the services that your website provides. The latter case is not usually classified as spam, however, but is actually some form of hacking instead; AIP will help you to protect your web forms against both types of automated attacks, regardless of the attacker's intention.

The Link Attack
A spammer will look for unprotected blogs, forums and wikis that allow links to be posted. The spammer will do what it takes to get their links visible on your web pages. When a link to a spammer's site appears in your website, and your site is indexed by some search engine such as Google, the mere presence of the spammer's link may increase the score of the their website in the search engine. A higher score increases the chances that their site will appear closer to the top in search results. Higher score/rank can mean increased sales and profit from embedded ads in the spammer's site simply because they are increasing their site's visibility on the net. You suffer, your blog/forum/wiki/website users suffer and Joe Spammer makes some loot.

The Automated Attack
Spammers, just like legitimate businesses with morals, find ways to automate processes using computers. One such way is automated blog spamming, for example. A computer program searches the more well-known blog sites, and personal blogs that use commercial software, to find anonymous comment forms where they can post their site's links, automatically.

Protection from Automated Spammers
There are ways that you can protect your sites and blogs from these types of spam attacks. CAPTCHA is only one of those ways, and it isn't always the most appropriate either. One problem with CAPTCHA, for example, is that it's not accessibility-friendly.

How does an image with text help?
CAPTCHA renders text in an image because computers have a much harder time parsing image-based text than people do. A user can easily duplicate the text that they see while computers cannot. This allows websites to distinguish between legitimate users and automated spamming software.

A Spammers Response to CAPTCHA
One line-of-attack that automated spammers use against CAPTCHA is optical character recognition (OCR). OCR is software that can read text from an image. Examples of OCR can be found in programs such as Adobe Acrobat and Microsoft Office OneNote, which allows you to search for text in embedded images.

You can defend against spammer's OCR by making it harder for computers to distinguish between the outline of characters and the image's background, or clutter-content; as long as a human can easily distinguish between the validation text and the rest of the image, you have yourself a CAPTCHA solution.

Examples of CAPTCHA can be found on many websites that provide public web forms for site membership or simple data entry, such as right here on CodePlex when you register a new project!

External Resources

Here is a list of resources that you can use to start researching about spam and methods for protection like CAPTCHA.

Spam in blogs. (2007, March 13). In Wikipedia, The Free Encyclopedia. Retrieved 10:09, March 22, 2007

CAPTCHA. (2007, March 18). In Wikipedia, The Free Encyclopedia. Retrieved 10:09, March 22, 2007

Optical character recognition. (2007, March 18). In Wikipedia, The Free Encyclopedia. Retrieved 11:28, March 22, 2007

Help and Feedback

AIP 2.0 Beta provides a standalone compiled help file and the installer integrates documentation into Visual Studio 2005 and 2008 automatically. Refer to the Latest Release Notes for more information.

For help performing some of the more common tasks associated with AIP, see the How Do I wiki.

For information about AIP text, bitmap and filter providers, see AIP Providers.

For questions and concerns that aren't addressed by the wikis you may use the Discussions area and bugs may be reported in the Issue Tracker. If you prefer to submit your questions or comments to the team then please contact, Dave Sexton; however, if you are asking a question then please check the wikis and Discussions for answers first!

Last edited Apr 4, 2008 at 5:14 PM by davedev, version 32