C h a p t e r 6 : F o r m s a n d U s e r I n p u t 121 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 121 You also need to embed the image URL in a hidden form field so that it can be passed to the following function where it will be erased from the hard disk when no longer needed. At the same time, you should embed the value of the token in another hidden field, like this: <input type="hidden" name="token" value="$result[1]" /> <input type="hidden" name="image" value="$result[2]" /> Taking all this into account, the following example code creates a Captcha, and then displays the Captcha image along with a form for requesting the Captcha word to be entered: <?php $result = PIPHP_CreateCaptcha(26, 8, 'captcha.ttf', '', '!*a&K', '.fs£!+'); echo <<<_END <img src="$result[2]" /><br /> Please enter the word shown<br /> <form method="post" action="checkcaptcha.php"> <input type="hidden" name="token" value="$result[1]" /> <input type="text" name="captcha" /> <input type="submit" /> </form> _END; You may wish to save this example (giving it a filename such as testcaptcha.php) as you’ll be able to test it with an example from the following plug-in. Or you can download the file using the Download link at pluginphp.com—look in the folder named 6 in the plug-ins.zip file. If you would like to have random length words in your Captchas, you can achieve this by modifying the function call to use the rand() function as in the following, which will generate a Captcha of between four and ten letters in length: $result = PIPHP_CreateCaptcha(26, rand(4,10), 'captcha.ttf', '', '!*a&K', '.fs£!+'); Note that this plug-in relies on the plug-ins PIPHP_GifText(), PIPHP_GD_FN1(), and PIPHP_ImageAlter(), so they should also appear in the same program file as this one, or be otherwise included in it. TIP If you ever find your Captchas are not preventing all bots anymore, perhaps because their image recognition has improved, I suggest you upload a different TrueType font and start using that. You could also modify PIPHP_CreateCaptcha() itself and introduce a few more (or use different) image manipulations. The Plug-in function PIPHP_CreateCaptcha($size, $length, $font, $folder, $salt1, $salt2) { 122 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s 122 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s $file = file_get_contents('dictionary.txt'); $temps = explode("\r\n", $file); $dict = array(); foreach ($temps as $temp) if (strlen($temp) == $length) $dict[] = $temp; $captcha = $dict[rand(0, count($dict) - 1)]; $token = md5("$salt1$captcha$salt2"); $fname = $folder . $token . ".gif"; PIPHP_GifText($fname, $captcha, $font, $size, "444444", "ffffff", $size / 10, "666666"); $image = imagecreatefromgif($fname); $image = PIPHP_ImageAlter($image, 2); $image = PIPHP_ImageAlter($image, 13); for ($j = 0 ; $j < 3 ; ++$j) $image = PIPHP_ImageAlter($image, 3); for ($j = 0 ; $j < 2 ; ++$j) $image = PIPHP_ImageAlter($image, 5); imagegif($image, $fname); return array($captcha, $token, $fname);} Check Captcha Once you have created a Captcha image and asked a user to type it in you can use this plug- in to verify their input, and determine whether they entered the correct word. Figure 6-4 shows the plug-in being used. FIGURE 6-4 This plug-in verifies a Captcha word entered by a user. 34 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 123 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 123 About the Plug-in This plug-in verifies the Captcha word input by a user, in response to a request made using a Captcha created with plug-in 33, PIPHP_CreateCaptcha(). It takes these arguments: • $captcha The Captcha as typed in by a user • $token The token representing the current Captcha • $salt1 The first salt string • $salt2 The second salt string Variables, Arrays, and Functions • None How It Works The first thing this function does is remove the Captcha GIF image from the hard disk, if it still exists, and then returns the result of recreating the md5() hash from plug-in 33, based on the user string provided in $captcha, and the two salts in $salt1 and $salt2. As long as the salts are the same as when the Captcha was created, if the user has typed in the correct hash word, then the result of concatenating all three and passing them to the md5() function will be the same as the value stored in $token. In which case a value of TRUE is returned. Otherwise, the correct word was not entered and FALSE is returned. How to Use It After a Captcha has been created using the previous plug-in, you will have been provided with the location of a GIF image and a token representing the Captcha. Using these you will then have displayed the image and provided a web form requesting that the user type in the word in the Captcha image. This form will now have been posted to your server and the two items of data received will be: • $_POST['captcha'] The Captcha text entered by the user • $_POST['token'] The token embedded in the hidden form field Using these values, the following example code will verify the Captcha word as enter ed by the user. if (PIPHP_CheckCaptcha($_POST['captcha'], $_POST['token'], '!*a&K', '.fs£!+')) echo "Captcha verified"; else echo "Captcha failed"; Note that the two salts are not passed as arguments because they are a secret and only your code should know them. Just ensure that you use the same salts for both PIPHP_ CreateCaptcha() and PIPHP_CheckCaptcha() or the plug-ins won’t work. If you wish to test the example code (testcaptcha.php) in the previous plug-in, type in the preceding example and save it as checkcaptcha.php and it will verify the result of using the Captcha. Both of these programs can be found in a folder named 6 of plug-ins.zip available using the Download link at pluginphp.com. By the way, the file plugin34.php, which is in the 124 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s 124 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s same folder of the zip file, simulates creating a Captcha, posting it, and verifying it, all in a single program. After a while you will find that your folder of Captcha images gets quite full. You may therefore wish to use code, such as the following, to clear these files out every now and then: foreach (glob("*.gif") as $file) if (time() - filectime($file) > 300) unlink($file); What the code does is use the glob() function to search for all files with a .gif extension and then, if they are more than 5 minutes (300 seconds) old, they are removed using the unlink() function. If the files are in a different folder then you should ensure that you have first assigned that name to a variable called $folder, and that it has a trailing /, for example, using a value such as images/ if your folder is called images. Then you can use the following code instead: foreach (glob($folder . "*.gif") as $file) if (time() - filectime($file) > 300) unlink($file); The Plug-in function PIPHP_CheckCaptcha($captcha, $token, $salt1, $salt2) { return $token == md5("$salt1$captcha$salt2"); } Validate Text Processing user input takes a lot of work, especially when you need data to be in a certain format or to fit within various constraints. Using this plug-in you can check user input to ensure it is the right length and contains the right types of data, whether alphabetical, numeric, or something else. It’s also highly versatile, allowing you to specify the allowed characters (and therefor e those that are disallowed), as well as types of characters that must be used. Figure 6-5 shows two different strings being validated. About the Plug-in This plug-in accepts a string to be validated, along with parameters describing what is and isn’t allowed in the string. The function returns a two-element array on failure. The first of which is the value FALSE; the second is an array of error messages. On success, it returns a single element with the value TRUE. It takes these arguments: • $text The text to be validated • $minlength The minimum acceptable length • $maxlength The maximum acceptable length 35 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 125 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 125 • $allowed The characters that are allowed in the text. Any characters can be entered here, including ranges indicated by using a - character, such as a-zA-Z. • $required Types of characters of which at least one of each must be in the text, out of a, l, u, d, w, and p which, in order, stand for any letter, lowercase, uppercase, digit, word (any letter or number), or punctuation. Variables, Arrays, and Functions $len Integer containing the length of $text $error Array of all error message strings $result Integer result of matching the $allowed characters $caught String containing matched characters from $allowed $plural String with the value “ is”, or “s are” if there is more than one match $j Loop counter How It Works This plug-in sets the value of $len to the length of $text, and after initializing the array $error ready to hold any error messages, it checks whether $len is smaller or larger than the required minimum and maximum lengths. If either is the case, a suitable error message is added to the $error array. Next the preg_match_all() function is called to check for the existence of any characters not in the string $allowed, which contains a list of all allowed characters, including supporting ranges created using the - character. Thus, instead of having to use the string abcde, the equivalent of a-e is allowed; so, for example, to accept all upper- and lowercase letters, the string a-zA-Z could be used. FIGURE 6-5 Processing form input is now easier than ever using this plug-in. . example (giving it a filename such as testcaptcha .php) as you’ll be able to test it with an example from the following plug- in. Or you can download the file using the Download link at pluginphp.com—look. this plug- in relies on the plug- ins PIPHP_GifText(), PIPHP_GD_FN1(), and PIPHP_ImageAlter(), so they should also appear in the same program file as this one, or be otherwise included in it. TIP. to type it in you can use this plug- in to verify their input, and determine whether they entered the correct word. Figure 6-4 shows the plug- in being used. FIGURE 6-4 This plug- in verifies a