Securing Forms Random Image
Posted on 17 Jan 2006
by Olav Alexander Mjelde (DaButcher)
Rated 3.89 (Ratings: 0)
- More articles in Code
There are several different applications for securing your forms:
- Don't want someone doubleposting
- Want to protect your pages from computerized registrations (spam)
- want to protect some pages from google or others, without
There are some considerations, which actually might block people from your forms!
- People who are visually impaired will not see the image!
- People who use non-GUI browsers will not see the image!
Simple steps to help those with no GUI
Provide an alternative way of input, so that the visual-impaired can contact you. This might include options like:
- Emailing you for manual input
- Some sort of over-ride function, if they type some secret code in the querystring
There are several ways to do this, and I urge you to think about, and consider that not everyone on the www has the same advantages as you and me. Those advantages include that you and me can see images in our web-browsers.
If you are the one who wants things to be quick and simple, this is a great code-sample for your further reading. While some people might also use mySQL for a system like this, you might agree that it's not needed, after seeing the result.
Functions UsedTo make a script like this, there are several functions that one needs to use.Since this script is quite simple constructed, it does not use a great deal of functions.
session_start()- Starts the session
unset()- Unsets a variable
header()- Send a raw HTTP header
imagecreatefrompng()- Create a new image from file or URL
imagecolorallocate()- Allocate a color for an image
imagesx()- Returns the width of the image
imagesy()- Returns the height of the image
imagestring()- Draw a string horizontally
imagepng()- Output a PNG image to either the browser or a file
imagedestroy()- Frees any memory associated with image
substr()- Return part of a string
md5()- Calculate the md5 hash of a string
time()- Return current Unix timestamp
Generating the password, using some of the functions aboveAs quoted from the manual on www.php.net
Returns the current time measured in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT).
What does this mean for us?
We want to generate a random password!
Why not use the
time() will be unique, since we all know: time passes!
However, one might think that the time() might output in a format which might be un-neccessarily hard for the user to read (due to many digits). You and me both know that when we are paying bills, we have to read the account-numbers often twice or three times, to make sure that we have written them correctly. This is however easier if the key can contain both a-z and 0-9. We all know that time is just presented in 0-9, so how do we do this?
This is why we only want a part of the time() that we will use for a key.To also make the key more readable, we wrap the time() inside md5().The md5 will then make the key with both integers and letters. (a-z, 0-9).
For this tutorial, the key-length is set to 6 characters, which should be more than enough for securing your forms. If you want to calculate how secure your key is, the formula is:
Your key will have a pattern like: xxxxxx (6 characters).
They might be (a-z, 0-9), which gives 25 possibilities in a-z + 10 possibilities in 0-9.
35 ^ 6 = 1 838 265625 combinations for that key-length.
1 / 1 838 265625 ~~ impossible.
Keeping the user on the inside
There are several ways of making a login script.
While "regular" variables needs to be passed in the query-string, the session_variable does not. You simply start the session with session_start(), at the very top-most of your script.After that is done, you set the wanted variables with
$_SESSION['variable_name'] = "value";
Check for authentication
This first file, checks if the user is authenticated. Then (if not authenticated), it will generate an random image. If that image is generated, the input by the user must EQUAL the key that the image is based on.
The image generator (img.php)The image-generator simply applies a string (from the session variable 'key') on to an image, which in this script has to be