#10 Example code suggestion

[Anonymous]

I would add the line :
request.getSession().setAttribute(Captcha.NAME, null);
to the sample code. It will reset the CAPTCHA. Otherwise spammers only have to type in the captcha once and can still automate the process and create for example 1000 accounts or place hundreds of messages on a messageboard

<%@ page import="nl.captcha.Captcha" %>
...
<% // We're doing this in a JSP here, but in your own app you'll want to put
// this logic in your MVC framework of choice.
Captcha captcha = (Captcha) session.getAttribute(Captcha.NAME);
request.setCharacterEncoding("UTF-8"); // Do this so we can capture non-Latin chars
String answer = request.getParameter("answer");
if (captcha.isCorrect(answer)) {
request.getSession().setAttribute(Captcha.NAME, null);
%>
<b>Correct!</b>
<% } %>