PHP 5 Advanced: Visual QuickPro Guide | Page 3

[previous]

Security Techniques

Script 4.1. This page both displays a registration form and processes it. The script validates the submitted data using various functions, and then reports any errors.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <title>Registration Form</title> </head> <body> <?php # Script 4.1 - register.php /* This page creates a registration form * which is then validated using various functions. */ if (isset($_POST['submitted'])) { // Handle the form. // Store errors in an array: $errors = array(); // Check for non-empty name: if (!isset($_POST['name']) OR empty($_POST['name'])) { $errors[] = 'name'; } // Validate the email address using eregi(): if (!eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$', $_POST['email'])) { $errors[] = 'email address'; } // Validate the password using ctype_alnum(): if (!ctype_alnum($_POST['pass'])) { $errors[] = 'password'; } // Validate the date of birth using check_date(): if (isset($_POST['dob']) AND (strlen($_POST['dob']) >= 8) AND (strlen($_POST['dob']) <= 10) ) { // Break up the string: $dob = explode('/', $_POST['dob']); // Were three parts returned? if (count($dob) == 3) { // Is it a valid date? if (!checkdate((int) $dob[0], (int) $dob[1], (int) $dob[2])) { $errors[] = 'date of birth'; } } else { // Invalid format. $errors[] = 'date of birth'; } } else { // Empty or not the right length. $errors[] = 'date of birth'; } // Validate the ICQ number using ctype_digit(): if (!ctype_digit($_POST['icq'])) { $errors[] = 'ICQ number'; } // Check for non-empty comments: if (!isset($_POST['comments']) OR empty($_POST['comments'])) { $errors[] = 'comments'; } if (empty($errors)) { // Success! // Print a message and quit the script: echo '<p>You have successfully registered (but not really).</p></body></html>'; exit(); } else { // Report the errors. echo '<p>Problems exist with the following field(s):<ul>'; foreach ($errors as $error) { echo "<li>$error</li>\n"; } echo '</ul></p>'; } } // End of $_POST['submitted'] IF. // Show the form. ?> <form method="post"> <fieldset> <legend>Registration Form</legend> <p>Name: <input type="text" name="name" /></p> <p>Email Address: <input type="text" name="email" /></p> <p>Password: <input type="password" name="pass" /> (Letters and numbers only.)</p> <p>Date of Birth: <input type="text" name="dob" value="MM/DD/YYYY" /></p> <p>ICQ Number: <input type="text" name="icq" /></p> <p>Comments: <textarea name="comments" rows="5" cols="40"></textarea></p> <input type="hidden" name="submitted" value="true" /> <input type="submit" name="submit" value="Submit" /> </fieldset> </form> </body> </html>

TIPS

• If possible, use the POST method in your forms. POST has a limitation in that the resulting page cannot be bookmarked, but it is far more secure and does not have the limit on transmittable data size that GET does. If a user is entering passwords, you really must use the POST method lest the password be visible.
• Placing hidden values in HTML forms can be a great way to pass information from page to page without using cookies or sessions. But be careful what you hide in your HTML code, because those hidden values can be seen by viewing a page's source. This technique is a convenience, not a security measure.
• Similarly, you should not be too obvious or reliant upon information PHP passes via the URL. For example, if a homepage.php page requires receipt of a user ID—and that is the only mandatory information for access to the account—someone else could easily break in (e.g., www.example.com/userhome.php?user=2 could quickly be turned into www.example.com/userhome.php?user=3, granting access to someone else's information).

Using Captcha

Popular in many of today's forms is captcha, short for "completely automated public Turing test to tell computers and humans apart" (now that's an acronym!). A captcha test displays an image with a word or some letters written in it, normally in a nonlinear fashion. In order to successfully complete the form, the text from the image has to be typed into a box. This is something a human user could do but a bot could not.

If you do want to add this feature to your own sites, using the PEAR Text_CAPTCHA package would be the easiest route. Otherwise, you could generate the images yourself using the GD library. The word on the image should be stored in a session so that it can be compared against what the user typed.

The main caveat with captcha tests is that they do restrict the visually impaired from completing that form. You should be aware of this, and provide alternatives. Personally, I think that bots can be effectively stopped by just adding another input to your form, with an easy-to-answer question (like "What is 2 + 2?"). Humans can submit the answer, whereas bots could not.

[previous]

URL: