PHP 5 Advanced: Visual QuickPro Guide | Page 3 - webreference.com

home / programming / php / php5-advanced

Technical Lead
Thomson Reuters (Markets) LLC
US-NY-New York

Justtechjobs.com

Post A Job | Post A Resume

Developer News

Microsoft Shows Off Silverlight 4, IE9 Plans

Metasploit Expands Vulnerability Test Framework

HyperCard Reborn?

Security Techniques

Script 4.1. This page both displays a registration form and processes it. The script validates the submitted data using various functions, and then reports any errors.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <title>Registration Form</title>
</head>
<body>
<?php # Script 4.1 - register.php

/*  This page creates a registration form
 *  which is then validated using various functions.
 */

if (isset($_POST['submitted'])) { // Handle the form.

// Store errors in an array:
    $errors = array();

// Check for non-empty name:
    if (!isset($_POST['name']) OR empty($_POST['name'])) {
        $errors[] = 'name';
    }

// Validate the email address using eregi():
    if (!eregi('^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$',
$_POST['email'])) {
        $errors[] = 'email address';
    }

// Validate the password using ctype_alnum():
    if (!ctype_alnum($_POST['pass'])) {
        $errors[] = 'password';
    }

// Validate the date of birth using check_date():
if (isset($_POST['dob']) AND
(strlen($_POST['dob']) >= 8) AND
(strlen($_POST['dob']) <= 10) ) {

// Break up the string:
    $dob = explode('/', $_POST['dob']);

// Were three parts returned?
    if (count($dob) == 3) {

// Is it a valid date?
        if (!checkdate((int) $dob[0], (int) $dob[1], (int) $dob[2])) {
            $errors[] = 'date of birth';
        }

} else { // Invalid format.
        $errors[] = 'date of birth';
    }

} else { // Empty or not the right length.
    $errors[] = 'date of birth';
}

// Validate the ICQ number using ctype_digit():
if (!ctype_digit($_POST['icq'])) {
    $errors[] = 'ICQ number';
}

// Check for non-empty comments:
if (!isset($_POST['comments']) OR empty($_POST['comments'])) {
    $errors[] = 'comments';
}

if (empty($errors)) { // Success!

// Print a message and quit the script:
    echo '<p>You have successfully registered (but not really).</p></body></html>';
    exit();

} else { // Report the errors.

echo '<p>Problems exist with the following field(s):<ul>';

foreach ($errors as $error) {
        echo "<li>$error</li>\n";
    }

echo '</ul></p>';

}

} // End of $_POST['submitted'] IF.

// Show the form.
?>
<form method="post">
<fieldset>
<legend>Registration Form</legend>
<p>Name: <input type="text" name="name" /></p>
<p>Email Address: <input type="text" name="email" /></p>
<p>Password: <input type="password" name="pass" /> (Letters and numbers only.)</p>
<p>Date of Birth: <input type="text" name="dob" value="MM/DD/YYYY" /></p>
<p>ICQ Number: <input type="text" name="icq" /></p>
<p>Comments: <textarea name="comments" rows="5" cols="40"></textarea></p>

<input type="hidden" name="submitted" value="true" />
<input type="submit" name="submit" value="Submit" />
</fieldset>
</form>

</body>
</html>

TIPS

If possible, use the POST method in your forms. POST has a limitation in that the resulting page cannot be bookmarked, but it is far more secure and does not have the limit on transmittable data size that GET does. If a user is entering passwords, you really must use the POST method lest the password be visible.
Placing hidden values in HTML forms can be a great way to pass information from page to page without using cookies or sessions. But be careful what you hide in your HTML code, because those hidden values can be seen by viewing a page's source. This technique is a convenience, not a security measure.
Similarly, you should not be too obvious or reliant upon information PHP passes via the URL. For example, if a homepage.php page requires receipt of a user ID—and that is the only mandatory information for access to the account—someone else could easily break in (e.g., www.example.com/userhome.php?user=2 could quickly be turned into www.example.com/userhome.php?user=3, granting access to someone else's information).

Using Captcha

Popular in many of today's forms is captcha, short for "completely automated public Turing test to tell computers and humans apart" (now that's an acronym!). A captcha test displays an image with a word or some letters written in it, normally in a nonlinear fashion. In order to successfully complete the form, the text from the image has to be typed into a box. This is something a human user could do but a bot could not.

If you do want to add this feature to your own sites, using the PEAR Text_CAPTCHA package would be the easiest route. Otherwise, you could generate the images yourself using the GD library. The word on the image should be stored in a session so that it can be compared against what the user typed.

The main caveat with captcha tests is that they do restrict the visually impaired from completing that form. You should be aware of this, and provide alternatives. Personally, I think that bots can be effectively stopped by just adding another input to your form, with an easy-to-answer question (like "What is 2 + 2?"). Humans can submit the answer, whereas bots could not.

home / programming / php / php5-advanced

WebMediaBrands Corporate Info

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Whitepapers and eBooks

Microsoft Articles: Visual Studio 2010
Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications
Microsoft Whitepaper: How Windows Server 2008 R2 Helps Optimize IT and Save You Money
Adobe Article: Java Developers Finding a Home at Adobe Flex
IBM Articles: A Smarter Business Needs Smarter Technology
Intel Xeon Processor Increases Server Efficiency and Capabilities
Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise
Oracle Whitepapers - Innovation for IT Leaders
Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT

Internet.com eBook: IT Manager's Guide to Social Networking
Internet.com eBook: Get Ready for Windows 7
Microsoft Article: Expression Web 3--New Features for PHP Developers
Whitepapers: Manage Your Business Infrastracture with IBM
Whitepaper: Maximize Your Storage Investment with HP
Internet.com eBook: Becoming a Better Project Manager
Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies
Video: Microsoft Partner Program Benefits
Video: Windows Azure Debugging Tips
SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports

IBM Webcast: Speed Business Innovation with Reduced Cost and Risk
Video: Deploy Applications on Windows Azure
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Download: Microsoft Visual Studio 2010 Beta 2
Downloads & Free Trials: Microsoft's New Efficiency Resource Center
Get the Windows 7 SDK

Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
All About Botnets

MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES

The latest from WebReference.com

Rolling Out Your Own HTML Application Version Control · HTML 5: Client-side Storage · Working with Ajax Server Extensions

Sitemap · Experts · Tools · Services · Email a Colleague · Contact

FREE Newsletters >

The latest from internet.com

Wi-Fi Product Watch, November 2009 · Chip Market Recovering From '08 Collapse · Low-Cost Tools to Kickstart Your New Business

URL: