PHP 5 Advanced: Visual QuickPro Guide | Page 3
Script 4.1. This page both displays a registration form and processes it. The script validates the submitted data using various functions, and then reports any errors.
- If possible, use the POST method in your forms. POST has a limitation in that the resulting page cannot be bookmarked, but it is far more secure and does not have the limit on transmittable data size that GET does. If a user is entering passwords, you really must use the POST method lest the password be visible.
- Placing hidden values in HTML forms can be a great way to pass information from page to page without using cookies or sessions. But be careful what you hide in your HTML code, because those hidden values can be seen by viewing a page's source. This technique is a convenience, not a security measure.
- Similarly, you should not be too obvious or reliant upon information PHP passes via the URL. For example, if a
homepage.phppage requires receipt of a user ID—and that is the only mandatory information for access to the account—someone else could easily break in (e.g.,
www.example.com/userhome.php?user=2could quickly be turned into
www.example.com/userhome.php?user=3, granting access to someone else's information).
Popular in many of today's forms is captcha, short for "completely automated public Turing test to tell computers and humans apart" (now that's an acronym!). A captcha test displays an image with a word or some letters written in it, normally in a nonlinear fashion. In order to successfully complete the form, the text from the image has to be typed into a box. This is something a human user could do but a bot could not.
If you do want to add this feature to your own sites, using the PEAR Text_CAPTCHA package would be the easiest route. Otherwise, you could generate the images yourself using the GD library. The word on the image should be stored in a session so that it can be compared against what the user typed.
The main caveat with captcha tests is that they do restrict the visually impaired from completing that form. You should be aware of this, and provide alternatives. Personally, I think that bots can be effectively stopped by just adding another input to your form, with an easy-to-answer question (like "What is 2 + 2?"). Humans can submit the answer, whereas bots could not.