Ken Guest, in a response to another post from a different blogger, has posted some of his own validation replacements for the regular expression method the other blogger chose.

I've noticed that Richard Heyes, who professes himself to be a php guru, deleted my comment on his "Some common regular expressions" posting which simply pointed out his expressions didn't quite do the job and suggested a few PEAR packages that should be used instead of the expressions that he proffered

His examples have the benefit of what he calls "defense in depth" - the functionality to catch a bit more than just a regular expression can alone. His examples include PEAR_Validate for email addresses, Net_CheckIP2 for IP addresses and the Validate_UK package for the sort code and telephone numbers.

Vinu Thomas has posted about a PHP/GD CAPTCHA solution he's come across - Secureimage.

From the company's description:

Securimage is an open-source free PHP CAPTCHA script for generating complex images and CAPTCHA codes to protect forms from spam and abuse. It can be easily added into existing forms on your website to provide protection from spam bots. It can run on most any webserver as long as you have PHP installed, and GD support within PHP.

Features of the tool include simple addition and validation methods, the ability to make audible CAPTCHAs and True Type font support. You can download the software from the project's website.

On PHPBuilder.com, there's a new tutorial about validating user sessions - ensuring that data in your user's sessions is valid and isn't an attack trying to sneak in.

In a nutshell, sessions are the way that we "maintain state" from one page to the next, that is, how we identify specific users across multiple page requests. The ability to track users as they go from one page to the next using sessions allows us a number of options, such as tracking where they are going (web statistics) or to verify credentials for a specific section of the site.

First, there's a little mini-intro to sessions for those unsure on their use. It's followed by a look at some session vulnerabilities that could be introduces by malicious users looking to break things on your site (including HTML/Javascript injection, as their example shows).

They recommend a three step plan to get started with the validation of your user's sessions - making it easy for users to log out when they want to, use unique aspects of the remote machine to define the session and to validate all user input, especially things that will be put into a session variable.

Rob Allen has posted an example (a simple one to get you started) of creating a file upload form in the Zend Framework.

Zend Framework 1.5's Zend_Form component is missing support for the file input element as it is waiting on a file upload component to build upon. We're busy people, so we'll fake it...

His example gives a screenshot of the end result and includes all of the code needed to make it all work - the form, the custom file form element, a ValidFile validation class to ensure you're getting exactly what you want and the controller to define the form and execute it once the user submits.

The WebReference.com website has an introductory tutorial showing the budding PHP develper how to get started with one of the keys to web application interaction - forms.

Forms are how your users talk to your scripts. To get the most out of PHP, you must master forms. The first thing you need to understand is that although PHP makes it easy to access form data, you must be careful of how you work with the data.

The first part of the tutorial is focused on something many applications don't worry about - the security and integrity of the data submitted to them. They talk about things like filtering and various other checks to ensure that the data you're getting is good. They also mention the method for putting submitted values into PHP arrays, checking for valid values, using multiple submit buttons and an example of some of these methods all put together - validating a credit card number.

On his blog today, Vinu Thomas has an example of what he calls a "quicker and cleaner form" using the Zend_Form component of the Zend Framework.

Usually handing forms involves coding the form in HTML and performing client and server side validation, which usually makes the code for complex forms quite unwieldy. Zend_Form which is available in Zend Framework version 1.5 aims at simplifying this process.

With this new version comes the ability to add in methods for validation right into the form definition. His example shows a traditional login form that checks things like if it's required, checking the length and adding filters to modify the input.

The Zend Developer Zone has released part two of a series (here's part one posted back in November) looking at making forms for your website with the help of the PEAR HTML_QuickForm class.

I'll be discussing some of the package's non-standard form elements, teaching you how to combine elements into groups, showing you how to apply templates to control a form's appearance, and guiding you through the process of writing and registering your own custom validation rules.

There's plenty of sample code and screenshots to go around in this second part including examples of form auto-completion, multi-select elements and and example of its integration with Smarty.

Ed Finkler has released the latest version of his Inspekt input filtering/output validation library for PHP5:

I've uploaded the 0.3 release of Inspekt, the input filtering and validation library for PHP4 and 5. With this release, Inspekt completes the goals of the original specification for the OWASP SpoC007 project. I believe it is ready for "real-world" use.

Along with the new code being released there's also more documentation, API docs, a PEAR channel and a mailing list.

David Coallier has posted about the release ("THE release") of the latest version of the PEAR Validate package - version 0.8.0.

I am happy to announce the release of Validate to it's version 0.8.0 (In my opinion the last one before the next (and first) RC of this package towards a stable state). [...] The team has had a hard year loosing one of it's greatest member and the whole project has been literally on neutral since then.

This new release includes nearly thirty bugfixes including resolutions for issues dealing with iTLD validation, date extra validation, better ISSN/ISBN validation and includes some new unit tests as well. There's plans in the works to add features that would validate country codes and to make the move to PHP5.

On the Spindrop blog today, Dave Dash posts about how he used the sfDoctrine plugin functionality to match allowed email domains for their website's registration.

I'm a co-founder at an online finance web site and I'm in charge with building out the site. Our rollout strategy is to let a a handful of companies at a time, so we're limiting registration based on your company's email address. I decided to follow the bandwagon and use PHP Doctrine.

His example code sets up the company information in objects that are validated against from a validateSignup (and match) function in the application.