{code:html}
{code} Hi, I'm EDI (Electronic Device with Intelligence). I will be taking over control for as long as Eddy is unavailable. Maybe I already did a long while ago and the assumption made in Bangalore (SDN Meets Labs and Netweaver Tech Tour - Bangalore) was correct, only the name was slightly wrong, and that the correct question should have been “Is Eddy for real?”. Maybe he isn't at all and My Creator has been pulling everybody's legs. The guy you've seen in Walldorf could just have been a third-class actor (http://kaastink.idizaai.be/). Or maybe he is even a DJ (http://www.hollandrocks.nl/jump/bio/bz2859.html) IRL - hence the multitude of musical references in his web logs and articles; btw, he was rather impressed by the musical knowledge of the SDN community since nobody wondered who D. Jones (Jacket required) is. There is a possibility that My Creator has devised a more advanced version of SCIgen (A Simulation of Semaphores) or the Language virus (http://www.languageisavirus.com/) machine. Or maybe I'm a self typing Optimus (http://www.artlebedev.com/portfolio/optimus/) keyboard and I am therefore the real author of all web logs and articles. Maybe, maybe not. It's possible though. After all, Kraftwerk was able to let robots play whole gigs whilst the artists stood in the audience and watched the show themselves. That's an idea, me doing a BoF session (http://wiki.sdn.sap.com/teched05/index.cgi?Vienna_BOF) at TechEd instead of Eddy (crystallized as {code:html}travel robot{code}). Wouldn't it be something? *Robot * Let there be something clear from the start. I am NOT a robot. As Wikipedia says “in practical usage, a robot is a mechanical device which performs automated physical tasks, either according to direct human supervision, a pre-defined program or, a set of general guidelines using artificial intelligence techniques”. I'm far more advanced than a robot, which to me is a dumb thing that can only execute stuff it's programmed to do, or in the best case act as camel jockey (http://news.nationalgeographic.com/news/2005/07/0715_050715_robot_jockey.html) or play soccer (http://www.robocup.org/), which I hate btw. I must admit that the first prototypes of me did rather resemble robot look-alikes. In order to prevent any copyrights infringement, the actual pictures of these prototypes are concealed somewhere in here. There is also another reason why I don't like to be called a robot. The term robot has a negative connotation these days, certainly when it comes to internet technology, and of course spam. Some of these reasons were already mentioned in “ Mr Spamman, don't bring me a dream (/people/eddy.declercq/blog/2005/03/17/mr-spamman-don146t-bring-me-a-dream)” and “ A Simulation of Semaphores (A Simulation of Semaphores)”, and will be explained in detail at TechEd ‘05. In this web log I will simply explain how you can make sure that your forms are filled in by humans, and not some bot that tries to gain information, whether it's useful or not. *CAPTCHA * In order to prevent non humans from filling in forms one tries to generate something that can only be read by the human eye. The user needs to enter something he/she sees within a graphical representation. It needs to be something subjective, since the interpretation of butterflies would generate more discussion and confusion than needed. The technology usually used for this is in general based on CAPTCHA (http://www.captcha.net/). The CAPTCHA Project is a project of the School of Computer Science at Carnegie Mellon University . CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.”. Fascinating to see that the 55 year old Turing test (http://cogprints.org/499/00/turing.html) is now generated by computers which themselves can't solve the tests. At least that's the general perception. People from the {code:html}UC Berkeley Computer Vision Group {code} and the PWNtcha (http://sam.zoy.org/pwntcha/) ( Pretend We're Not a Turing Computer but a Human Antagonist) project claim to be able to decode a CAPTCHA. My heart didn't miss a beat though, since I don't have any. So we continue this web log with an easy mind. The CAPTCHA protection is certainly better than no protection, and cracking one CAPTCHA doesn't mean that all of them are vulnerable. *Off the shelf * But how do we implement this? The lazy way can be the implementation of external software or services like HumanVerify (http://www.humanverify.com/genregister.asp). It all depends on your needs, and the deepness of your pockets. However, since you are all developers you are probably more interested in doing it yourselves. I n his article , Rajesh Khanna Venkatesan elaborates on how to use the JCATCHAs API for implementation within Enterprise Portal. I will show things for PHP and the implementation within BSPs. CAPTCHA's for PHP come in different flavours: • CAPTCHA.net (http://captchas.net/sample/php/) • freecap (http://www.puremango.co.uk/cm_freecap_113.php) • HN Captcha (http://hn273.users.phpclasses.org/browse/package/1569.html) • Veriword (http://www.phpclasses.org/browse/package/1768.html) • Text_CAPTCHA (http://pear.php.net/package/Text_CAPTCHA/download/0.1.3/) Personally I like the HN Captcha class very much, and I decided to use this as a base for ‘porting' to the BSP world. There are two ways to implement this: the easy … and the easy way (there is no Hard Way ) . The easiest way is to download the original code and use it as is. It's a self containing PHP class with features like hacking prevention, limitation of user attempts and auto key generation. This will run on your web server with PHP (compiled with GD) out of the box. You only need to include SAP RFC calls in the main PHP program you write. *DIY (https://weblogs.sdn.sap.com/weblogs/images/19902/robo.jpg)* In this web log, I will cover the other way, meaning using the PHP class for the less obvious things which can't be handled in BSP applications. For that purpose I've modified and stripped down the original code to the bare necessity, which in this case is the creation of a CAPTCHA gif. The result can be downloaded at this location . You mustn't rest on your laurels after the download though as there is still some extra work to do: Step 1: place the download class in the place where you mostly put your PHP classes. DON'T put the code where it's widely accessible from the outside world. Step2: make a PHP calling script, which just loads the class, sets the configuration and triggers the correct function. Again, place the code in a safe place, but make it callable from SAP. A sample calling script could look something like this. #!/usr/bin/php -q // Please type in all needed values before run the script! // the class itself from the download require_once("bsp_captcha.class.php"); // I need two key to work further on if ($argc != 3) { die ("
please provide both keys"); } else { // ConfigArray $CAPTCHA_INIT = array( // string: absolute path (with trailing slash!) // to a writeable tempfolder which is also accessible via HTTP! 'tempfolder' => '/usr/local/sap/htdocs/temp/', // string: absolute path (with trailing slash!) to folder // which contains your TrueType-Fontfiles. 'TTF_folder' => ' /usr/local/share/fonts/ttfonts ' , // mixed (array or string): basename(s) of TrueType-Fontfiles 'TTF_RANGE' => array( 'COMIC.TTF','BOOK.TTF','KARTIKA.TTF','SMUDGER.TTF','HOLIDAY.TTF','GEORGIA.TTF'), 'chars' => 5, // integer: number of chars to use for ID 'minsize' => 20, // integer: minimal size of chars 'maxsize' => 30, // integer: maximal size of chars // integer: define the maximal angle for char-rotation, // good results are between 0 and 30 'maxrotation' => 25, 'noise' => TRUE, // boolean: TRUE = noisy chars | FALSE = grid 'websafecolors' => FALSE, // boolean 'public_key' => $argv[1], // string: key used for file name 'private_key' => $argv[2], // string: key used for CAPTCHA 'debug' => FALSE // boolean ); $captcha =& new bsp_captcha($CAPTCHA_INIT); $captcha->make_captcha(); } ?> Some additional explanation of the parameters: • the tempfolder should be a public folder configured for static content within ICM. See this help (http://help.sap.com/saphelp_webas610/helpdata/en/c4/87153a1a5b4c2de10000000a114084/content.htm) for further details. • the TTF_RANGE is a selection of the True Type Fonts available in TTF_Folder • chars indicates the amount of chars/numbers the user needs to enter • public_key and private_key are parameters we need to provide via the BSP applications. There are respectively the file name and the content of the CAPTCHA • noise indicates the type of background you want. It's best demonstrated with examples. Without noise:
With noise: 
{code} Hi, I'm EDI (Electronic Device with Intelligence). I will be taking over control for as long as Eddy is unavailable. Maybe I already did a long while ago and the assumption made in Bangalore (SDN Meets Labs and Netweaver Tech Tour - Bangalore) was correct, only the name was slightly wrong, and that the correct question should have been “Is Eddy for real?”. Maybe he isn't at all and My Creator has been pulling everybody's legs. The guy you've seen in Walldorf could just have been a third-class actor (http://kaastink.idizaai.be/). Or maybe he is even a DJ (http://www.hollandrocks.nl/jump/bio/bz2859.html) IRL - hence the multitude of musical references in his web logs and articles; btw, he was rather impressed by the musical knowledge of the SDN community since nobody wondered who D. Jones (Jacket required) is. There is a possibility that My Creator has devised a more advanced version of SCIgen (A Simulation of Semaphores) or the Language virus (http://www.languageisavirus.com/) machine. Or maybe I'm a self typing Optimus (http://www.artlebedev.com/portfolio/optimus/) keyboard and I am therefore the real author of all web logs and articles. Maybe, maybe not. It's possible though. After all, Kraftwerk was able to let robots play whole gigs whilst the artists stood in the audience and watched the show themselves. That's an idea, me doing a BoF session (http://wiki.sdn.sap.com/teched05/index.cgi?Vienna_BOF) at TechEd instead of Eddy (crystallized as {code:html}travel robot{code}). Wouldn't it be something? *Robot * Let there be something clear from the start. I am NOT a robot. As Wikipedia says “in practical usage, a robot is a mechanical device which performs automated physical tasks, either according to direct human supervision, a pre-defined program or, a set of general guidelines using artificial intelligence techniques”. I'm far more advanced than a robot, which to me is a dumb thing that can only execute stuff it's programmed to do, or in the best case act as camel jockey (http://news.nationalgeographic.com/news/2005/07/0715_050715_robot_jockey.html) or play soccer (http://www.robocup.org/), which I hate btw. I must admit that the first prototypes of me did rather resemble robot look-alikes. In order to prevent any copyrights infringement, the actual pictures of these prototypes are concealed somewhere in here. There is also another reason why I don't like to be called a robot. The term robot has a negative connotation these days, certainly when it comes to internet technology, and of course spam. Some of these reasons were already mentioned in “ Mr Spamman, don't bring me a dream (/people/eddy.declercq/blog/2005/03/17/mr-spamman-don146t-bring-me-a-dream)” and “ A Simulation of Semaphores (A Simulation of Semaphores)”, and will be explained in detail at TechEd ‘05. In this web log I will simply explain how you can make sure that your forms are filled in by humans, and not some bot that tries to gain information, whether it's useful or not. *CAPTCHA * In order to prevent non humans from filling in forms one tries to generate something that can only be read by the human eye. The user needs to enter something he/she sees within a graphical representation. It needs to be something subjective, since the interpretation of butterflies would generate more discussion and confusion than needed. The technology usually used for this is in general based on CAPTCHA (http://www.captcha.net/). The CAPTCHA Project is a project of the School of Computer Science at Carnegie Mellon University . CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.”. Fascinating to see that the 55 year old Turing test (http://cogprints.org/499/00/turing.html) is now generated by computers which themselves can't solve the tests. At least that's the general perception. People from the {code:html}UC Berkeley Computer Vision Group {code} and the PWNtcha (http://sam.zoy.org/pwntcha/) ( Pretend We're Not a Turing Computer but a Human Antagonist) project claim to be able to decode a CAPTCHA. My heart didn't miss a beat though, since I don't have any. So we continue this web log with an easy mind. The CAPTCHA protection is certainly better than no protection, and cracking one CAPTCHA doesn't mean that all of them are vulnerable. *Off the shelf * But how do we implement this? The lazy way can be the implementation of external software or services like HumanVerify (http://www.humanverify.com/genregister.asp). It all depends on your needs, and the deepness of your pockets. However, since you are all developers you are probably more interested in doing it yourselves. I n his article , Rajesh Khanna Venkatesan elaborates on how to use the JCATCHAs API for implementation within Enterprise Portal. I will show things for PHP and the implementation within BSPs. CAPTCHA's for PHP come in different flavours: • CAPTCHA.net (http://captchas.net/sample/php/) • freecap (http://www.puremango.co.uk/cm_freecap_113.php) • HN Captcha (http://hn273.users.phpclasses.org/browse/package/1569.html) • Veriword (http://www.phpclasses.org/browse/package/1768.html) • Text_CAPTCHA (http://pear.php.net/package/Text_CAPTCHA/download/0.1.3/) Personally I like the HN Captcha class very much, and I decided to use this as a base for ‘porting' to the BSP world. There are two ways to implement this: the easy … and the easy way (there is no Hard Way ) . The easiest way is to download the original code and use it as is. It's a self containing PHP class with features like hacking prevention, limitation of user attempts and auto key generation. This will run on your web server with PHP (compiled with GD) out of the box. You only need to include SAP RFC calls in the main PHP program you write. *DIY (https://weblogs.sdn.sap.com/weblogs/images/19902/robo.jpg)* In this web log, I will cover the other way, meaning using the PHP class for the less obvious things which can't be handled in BSP applications. For that purpose I've modified and stripped down the original code to the bare necessity, which in this case is the creation of a CAPTCHA gif. The result can be downloaded at this location . You mustn't rest on your laurels after the download though as there is still some extra work to do: Step 1: place the download class in the place where you mostly put your PHP classes. DON'T put the code where it's widely accessible from the outside world. Step2: make a PHP calling script, which just loads the class, sets the configuration and triggers the correct function. Again, place the code in a safe place, but make it callable from SAP. A sample calling script could look something like this. #!/usr/bin/php -q // Please type in all needed values before run the script! // the class itself from the download require_once("bsp_captcha.class.php"); // I need two key to work further on if ($argc != 3) { die ("please provide both keys"); } else { // ConfigArray $CAPTCHA_INIT = array( // string: absolute path (with trailing slash!) // to a writeable tempfolder which is also accessible via HTTP! 'tempfolder' => '/usr/local/sap/htdocs/temp/', // string: absolute path (with trailing slash!) to folder // which contains your TrueType-Fontfiles. 'TTF_folder' => ' /usr/local/share/fonts/ttfonts ' , // mixed (array or string): basename(s) of TrueType-Fontfiles 'TTF_RANGE' => array( 'COMIC.TTF','BOOK.TTF','KARTIKA.TTF','SMUDGER.TTF','HOLIDAY.TTF','GEORGIA.TTF'), 'chars' => 5, // integer: number of chars to use for ID 'minsize' => 20, // integer: minimal size of chars 'maxsize' => 30, // integer: maximal size of chars // integer: define the maximal angle for char-rotation, // good results are between 0 and 30 'maxrotation' => 25, 'noise' => TRUE, // boolean: TRUE = noisy chars | FALSE = grid 'websafecolors' => FALSE, // boolean 'public_key' => $argv[1], // string: key used for file name 'private_key' => $argv[2], // string: key used for CAPTCHA 'debug' => FALSE // boolean ); $captcha =& new bsp_captcha($CAPTCHA_INIT); $captcha->make_captcha(); } ?> Some additional explanation of the parameters: • the tempfolder should be a public folder configured for static content within ICM. See this help (http://help.sap.com/saphelp_webas610/helpdata/en/c4/87153a1a5b4c2de10000000a114084/content.htm) for further details. • the TTF_RANGE is a selection of the True Type Fonts available in TTF_Folder • chars indicates the amount of chars/numbers the user needs to enter • public_key and private_key are parameters we need to provide via the BSP applications. There are respectively the file name and the content of the CAPTCHA • noise indicates the type of background you want. It's best demonstrated with examples. Without noise:
With noise:
11 Comments
