User online php script

Protect Your Online Forms

Mass e-mailer Alan Ralsky made the mistake in November 2002 of trumpeting his tales of spamming success to a reporter for the Detroit Free Press. Internet users struck back, flooding Mr. Ralsky's postal mailbox with catalogs and other physical junk mailno doubt chuckling when the target of their snail-mail attack carped about the resulting nuisance.

This episode offers a chilling lesson for Web developers: Your Web forms are vulnerable to abuse. If you have an online catalog-request form, just imagine how a script that submits thousands of bogus requests could ratchet up your printing and mailing costs. Or if you require registration, consider that a malicious user could create a bevy of sham accounts for nefarious purposes. So what can you do to keep hackers from counterfeiting requests?

You need to look only as far as the registration forms on sites like eBay or Hotmail to see one countermeasure, a technique that's known as a reverse Turing test or a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). A reverse Turing test gates registration upon a task that's relatively easy for people but daunting for automated systems; often that task is to read and input a series of letters that have been deformed or obscured in ways that challenge OCR (optical character recognition) systems but remain intelligible to most human users. (See "CAPTCHA-ing the Spammer".)

Here's how you can implement a simple CAPTCHA system of your own. You'll need to write a routine as the centerpiece of your system, one that accepts a CGI or session parameter (the key) that's unique to each visitor, uses a key to seed a random-number generator, and then picks a random "target" word for each user to guess. Then you'll need two more things: a program to turn the target text into an image and obscure it somehow and a simple Web form and response script, which will ask for and then verify a user's interpretation of the image.

For creating and manipulating the image at your site, we recommend ImageMagick (www.imagemagick.com), a highly flexible set of open-source libraries that provides APIs for C, Perl, Java, PHP, Visual Basic, and a variety of other languages.

Using your favorite language, write a program that

accepts the key via a CGI or session parameter; generates the corresponding target text; calls ImageMagick to create an image containing the target text and any obfuscation you desire; returns the resulting image.

Publish this script on your Web server so you can run it directly from a URL. For example, point your browser to two URLs like these: www.mysite.com/make_image? 12345 and www.mysite.com/make_image? 12346 and load two different CAPTCHA images into your browser window.

Then you'll need to modify your order or registration page to generate it dynamically, including a randomly selected key. This key serves to request a specific CAPTCHA image and to let the form-response logic compare the submitted response with the expected response. Your form HTML will likely end up looking like this:

<p>What word is hidden in this image? <p><img src="/make_image?12345"> <form action="match_word" method="post"> <input type="hidden" name="code" value="12345"> <input type="text" name="captcha"> <input type="submit" value="submit"> </form>

(where 12345 is the randomly generated key). The <img> tag loads the dynamically generated CAPTCHA image for the specific key, and the hidden input field sends the key back to the server so it can determine which CAPTCHA image was included when the page was displayed. Alter-natively, if you're using a session-management system, you could store the key as part of each user's session information rather than embedding it in the form.

Finally, modify your form validation logic to determine the target text for the submitted key and compare it against the text that each user enters. If the two don't match, reject the submission and prompt the user to try again.

This basic CAPTCHA implementation suffers from a serious flaw: An attacker could simply solve a single CAPTCHA, create a knockoff of your form using the same key and known target text, and submit that form repeatedly. To avoid this, modify your random key selection so that the same key is never used twice and so that used keys are recorded and subsequent attempts to register with the same key are rejected.

Keep in mind that even the best reverse Turing test is unlikely to be a panacea. Still, it's comforting to know that you can sometimes apply technology to combat the technology that might be maliciously applied to consume your business resources.