 |
 |
 |
 |
|
|
|
Visual Verification in PHP
Brett Patterson
The form
We have created our random image function, and we'll save it as rand_img.php. We'll use it as a remote script to generate our image. Now we need to create a new PHP file and do the following: (1) Include "rand_img.php" for use and (2) create a form to use.
Code:
<?php include_once('rand_img.php'); $str = gen_rand_img(); ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <label for="vimg">Verification Code:<br> <img src="rand_image.gif" id="vimg"> </label> <br> <label for="vcode">Enter Code Below:<br> <input type="text" name="vcode" style="font-variant: small-caps;" maxlength="6" id="vcode"> </label><br> <input type="hidden" name="_vcode" value="<?php echo md5($str); ?>"> <input type="submit" name="Submit" value="Verify"> </form>
You may be wondering why we encode the string in the hidden field. We do this because if a "smart" hacker looks at the code to try and get the "verification string", it will just be a hash. As you'll see in a moment, even if they copy and paste the hash, it will not validate.
NOTE: There may be a way to "decode" the md5 hash, but you can use any encryption methodology you choose, as long as it works as well. For the purposes of this article, we'll be using md5.
So we've got our form, how about we write the code to check it:
NOTE: There may be a way to "decode" the md5 hash, but you can use any encryption methodology you choose, as long as it works as well. For the purposes of this article, we'll be using md5.
So we've got our form, how about we write the code to check it:
Check Validity:
if(isset($_POST) && !empty($_POST)) { if(md5(strtoupper($_POST['vcode'])) == $_POST['_vcode']) { echo '<h3 style="color: #090;">Verified!!</h3>'; } else { echo '<h3 style="color: #f00;">Unverified!!</h3>'; } }
What we do here is to check to see if the form was submitted. If it is submitted, we'll generate an md5 hash of the submitted code (in all uppercase letters). If that hash and our hidden hash are equal, we let the user know it validated; otherwise, we let them know it failed.
You may be wondering how this will deter someone from using the hash in the hidden field. If the hash in the hidden field is used, then we create another hash, built on that hash. So it's the equivalent of saying:
You may be wondering how this will deter someone from using the hash in the hidden field. If the hash in the hidden field is used, then we create another hash, built on that hash. So it's the equivalent of saying:
Example:
md5(md5('some random string'));
A hacker can't use the md5 hash in the hidden field to directly crack this. Another prevention method is using the maxlength parameter on the input field in the form. This way, even if they try to use the hash, they can't input the full string, just six (or however many) characters from it.
We're Done!!
That's it, we're done! You can test it out for yourself. As long as you input the proper string, it will verify. Otherwise, it won't. You can modify this to return TRUE or FALSE rather than echo something to provide a way to incorporate this with an email verification item.
I hope you have found this to be fun and useful. Use this knowledge and help knock back the "spam" from your website's email form!! As always, if you need help with any of this, contact me through the boards, my name is bpat1434.
I hope you have found this to be fun and useful. Use this knowledge and help knock back the "spam" from your website's email form!! As always, if you need help with any of this, contact me through the boards, my name is bpat1434.
Source & Working Example
If you would like to see this code in action, you can view it on my personal website:
Working Example
Source
Working Example
Source
| Comments: | ||
| Links to Working Example and Source deadlink | Guest | 05/14/08 12:50 |
|
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly. | ||