C h a p t e r 6 : F o r m s a n d U s e r I n p u t
121
C h a p t e r 6 : F o r m s a n d U s e r I n p u t
121
You also need to embed the image URL in a hidden form field so that it can be passed
to the following function where it will be erased from the hard disk when no longer
needed. At the same time, you should embed the value of the token in another hidden
field, like this:
<input type="hidden" name="token" value="$result[1]" />
<input type="hidden" name="image" value="$result[2]" />
Taking all this into account, the following example code creates a Captcha, and then
displays the Captcha image along with a form for requesting the Captcha word to be
entered:
<?php
$result = PIPHP_CreateCaptcha(26, 8, 'captcha.ttf', '',
'!*a&K', '.fs£!+');
echo <<<_END
<img src="$result[2]" /><br />
Please enter the word shown<br />
<form method="post" action="checkcaptcha.php">
<input type="hidden" name="token" value="$result[1]" />
<input type="text" name="captcha" />
<input type="submit" />
</form>
_END;
You may wish to save this example (giving it a filename such as testcaptcha.php) as you’ll
be able to test it with an example from the following plug-in. Or you can download the file
using the Download link at pluginphp.com—look in the folder named 6 in the plug-ins.zip file.
If you would like to have random length words in your Captchas, you can achieve this
by modifying the function call to use the rand() function as in the following, which will
generate a Captcha of between four and ten letters in length:

$result = PIPHP_CreateCaptcha(26, rand(4,10), 'captcha.ttf', '',
'!*a&K', '.fs£!+');
Note that this plug-in relies on the plug-ins PIPHP_GifText(), PIPHP_GD_FN1(), and
PIPHP_ImageAlter(), so they should also appear in the same program file as this one, or
be otherwise included in it.
TIP If you ever find your Captchas are not preventing all bots anymore, perhaps because their image
recognition has improved, I suggest you upload a different TrueType font and start using that.
You could also modify PIPHP_CreateCaptcha() itself and introduce a few more (or use
different) image manipulations.
The Plug-in
function PIPHP_CreateCaptcha($size, $length, $font,
$folder, $salt1, $salt2)
{

122
P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s

122
P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s
$file = file_get_contents('dictionary.txt');
$temps = explode("\r\n", $file);
$dict = array();

foreach ($temps as $temp)
if (strlen($temp) == $length)
$dict[] = $temp;

$captcha = $dict[rand(0, count($dict) - 1)];
$token = md5("$salt1$captcha$salt2");
$fname = $folder . $token . ".gif";

PIPHP_GifText($fname, $captcha, $font, $size, "444444",
"ffffff", $size / 10, "666666");
$image = imagecreatefromgif($fname);
$image = PIPHP_ImageAlter($image, 2);
$image = PIPHP_ImageAlter($image, 13);

for ($j = 0 ; $j < 3 ; ++$j)
$image = PIPHP_ImageAlter($image, 3);
for ($j = 0 ; $j < 2 ; ++$j)
$image = PIPHP_ImageAlter($image, 5);

imagegif($image, $fname);
return array($captcha, $token, $fname);}
Check Captcha
Once you have created a Captcha image and asked a user to type it in you can use this plug-
in to verify their input, and determine whether they entered the correct word. Figure 6-4
shows the plug-in being used.
FIGURE 6-4 This plug-in verifies a Captcha word entered by a user.

34
C h a p t e r 6 : F o r m s a n d U s e r I n p u t
123
C h a p t e r 6 : F o r m s a n d U s e r I n p u t
123
About the Plug-in
This plug-in verifies the Captcha word input by a user, in response to a request made using
a Captcha created with plug-in 33, PIPHP_CreateCaptcha(). It takes these arguments:
• $captcha The Captcha as typed in by a user
• $token The token representing the current Captcha
• $salt1 The first salt string

• $salt2 The second salt string
Variables, Arrays, and Functions
• None
How It Works
The first thing this function does is remove the Captcha GIF image from the hard disk, if it
still exists, and then returns the result of recreating the md5() hash from plug-in 33, based
on the user string provided in $captcha, and the two salts in $salt1 and $salt2.
As long as the salts are the same as when the Captcha was created, if the user has typed
in the correct hash word, then the result of concatenating all three and passing them to the
md5() function will be the same as the value stored in $token. In which case a value of
TRUE is returned. Otherwise, the correct word was not entered and FALSE is returned.
How to Use It
After a Captcha has been created using the previous plug-in, you will have been provided
with the location of a GIF image and a token representing the Captcha. Using these you will
then have displayed the image and provided a web form requesting that the user type in
the word in the Captcha image. This form will now have been posted to your server and the
two items of data received will be:
• $_POST['captcha'] The Captcha text entered by the user
• $_POST['token'] The token embedded in the hidden form field
Using these values, the following example code will verify the Captcha word as enter
ed
by the user.
if (PIPHP_CheckCaptcha($_POST['captcha'], $_POST['token'],
'!*a&K', '.fs£!+')) echo "Captcha verified";
else echo "Captcha failed";
Note that the two salts are not passed as arguments because they are a secret and only
your code should know them. Just ensure that you use the same salts for both PIPHP_
CreateCaptcha() and PIPHP_CheckCaptcha() or the plug-ins won’t work.
If you wish to test the example code (testcaptcha.php) in the previous plug-in, type in
the preceding example and save it as checkcaptcha.php and it will verify the result of using the

Captcha. Both of these programs can be found in a folder named 6 of plug-ins.zip available
using the Download link at pluginphp.com. By the way, the file plugin34.php, which is in the

124
P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s

124
P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s
same folder of the zip file, simulates creating a Captcha, posting it, and verifying it, all in a
single program.
After a while you will find that your folder of Captcha images gets quite full. You may
therefore wish to use code, such as the following, to clear these files out every now and then:
foreach (glob("*.gif") as $file)
if (time() - filectime($file) > 300)
unlink($file);
What the code does is use the glob() function to search for all files with a .gif extension
and then, if they are more than 5 minutes (300 seconds) old, they are removed using the
unlink() function. If the files are in a different folder then you should ensure that you have
first assigned that name to a variable called $folder, and that it has a trailing /, for example,
using a value such as images/ if your folder is called images. Then you can use the following
code instead:
foreach (glob($folder . "*.gif") as $file)
if (time() - filectime($file) > 300)
unlink($file);
The Plug-in
function PIPHP_CheckCaptcha($captcha, $token,
$salt1, $salt2)
{
return $token == md5("$salt1$captcha$salt2");
}

Validate Text
Processing user input takes a lot of work, especially when you need data to be in a certain
format or to fit within various constraints. Using this plug-in you can check user input to
ensure it is the right length and contains the right types of data, whether alphabetical,
numeric, or something else.
It’s also highly versatile, allowing you to specify the allowed characters (and therefor
e
those that are disallowed), as well as types of characters that must be used. Figure 6-5
shows two different strings being validated.
About the Plug-in
This plug-in accepts a string to be validated, along with parameters describing what is and
isn’t allowed in the string. The function returns a two-element array on failure. The first of
which is the value FALSE; the second is an array of error messages. On success, it returns a
single element with the value TRUE. It takes these arguments:
• $text The text to be validated
• $minlength The minimum acceptable length
• $maxlength The maximum acceptable length

35
C h a p t e r 6 : F o r m s a n d U s e r I n p u t
125
C h a p t e r 6 : F o r m s a n d U s e r I n p u t
125
• $allowed The characters that are allowed in the text. Any characters can be
entered here, including ranges indicated by using a - character, such as a-zA-Z.
• $required Types of characters of which at least one of each must be in the text,
out of a, l, u, d, w, and p which, in order, stand for any letter, lowercase, uppercase,
digit, word (any letter or number), or punctuation.
Variables, Arrays, and Functions
$len Integer containing the length of $text

$error
Array of all error message strings
$result Integer result of matching the $allowed characters
$caught String containing matched characters from $allowed
$plural
String with the value “ is”, or “s are” if there is more than one match
$j
Loop counter
How It Works
This plug-in sets the value of $len to the length of $text, and after initializing the array
$error ready to hold any error messages, it checks whether $len is smaller or larger than
the required minimum and maximum lengths. If either is the case, a suitable error message
is added to the $error array.
Next the preg_match_all() function is called to check for the existence of any
characters not in the string $allowed, which contains a list of all allowed characters,
including supporting ranges created using the - character. Thus, instead of having to use
the string abcde, the equivalent of a-e is allowed; so, for example, to accept all upper- and
lowercase letters, the string a-zA-Z could be used.
FIGURE 6-5 Processing form input is now easier than ever using this plug-in.