Skip to page content or Skip to Accesskey List.


Main Page Content

Securing Forms Random Image

Rated 3.89 (Ratings: 0)

Want more?

  • More articles in Code

Olav Alexander Mjelde

Member info

User since: 21 Dec 2004

Articles written: 1

There are several different applications for securing your forms:

When you...

  • Don't want someone doubleposting
  • Want to protect your pages from computerized registrations (spam)
  • want to protect some pages from google or others, without .htaccess


There are some considerations, which actually might block people from your forms!

  • People who are visually impaired will not see the image!
  • People who use non-GUI browsers will not see the image!

Simple steps to help those with no GUI

Provide an alternative way of input, so that the visual-impaired can contact you. This might include options like:

  • Emailing you for manual input
  • Some sort of over-ride function, if they type some secret code in the querystring

There are several ways to do this, and I urge you to think about, and consider that not everyone on the www has the same advantages as you and me. Those advantages include that you and me can see images in our web-browsers.


If you are the one who wants things to be quick and simple, this is a great code-sample for your further reading. While some people might also use mySQL for a system like this, you might agree that it's not needed, after seeing the result.

Functions Used

To make a script like this, there are several functions that one needs to use.

Since this script is quite simple constructed, it does not use a great deal of functions.

  • session_start() - Starts the session
  • unset() - Unsets a variable
  • header() - Send a raw HTTP header
  • imagecreatefrompng() - Create a new image from file or URL
  • imagecolorallocate() - Allocate a color for an image
  • imagesx() - Returns the width of the image
  • imagesy() - Returns the height of the image
  • imagestring() - Draw a string horizontally
  • imagepng() - Output a PNG image to either the browser or a file
  • imagedestroy() - Frees any memory associated with image
  • substr() - Return part of a string
  • md5() - Calculate the md5 hash of a string
  • time() - Return current Unix timestamp

Generating the password, using some of the functions above

As quoted from the manual on

Returns the current time measured in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT).

What does this mean for us?

We want to generate a random password!

Why not use the time()?

The time() will be unique, since we all know: time passes!

However, one might think that the time() might output in a format which might be un-neccessarily hard for the user to read (due to many digits). You and me both know that when we are paying bills, we have to read the account-numbers often twice or three times, to make sure that we have written them correctly. This is however easier if the key can contain both a-z and 0-9. We all know that time is just presented in 0-9, so how do we do this?

This is why we only want a part of the time() that we will use for a key.

To also make the key more readable, we wrap the time() inside md5().

The md5 will then make the key with both integers and letters. (a-z, 0-9).

For this tutorial, the key-length is set to 6 characters, which should be more than enough for securing your forms. If you want to calculate how secure your key is, the formula is:

Your key will have a pattern like: xxxxxx (6 characters).

They might be (a-z, 0-9), which gives 25 possibilities in a-z + 10 possibilities in 0-9.

That is a total of 35 possible characters in each character of the key.

35 ^ 6 = 1 838 265625 combinations for that key-length.

Also remember:

If the user inputs a wrong key, or reloads the page, the next key will be different, as it's based on the time() function. This makes the possibility for guessing a key:

1 / 1 838 265625 ~~ impossible.

Keeping the user on the inside

There are several ways of making a login script.

One might use cookies, mysql, flatfiles or other ways.

The most simple way of making a login-script, is to use the session variables.

While "regular" variables needs to be passed in the query-string, the session_variable does not. You simply start the session with session_start(), at the very top-most of your script.

After that is done, you set the wanted variables with $_SESSION['variable_name'] = "value";

Backend Code

Check for authentication

This first file, checks if the user is authenticated. Then (if not authenticated), it will generate an random image. If that image is generated, the input by the user must EQUAL the key that the image is based on.

The image generator (img.php)

The image-generator simply applies a string (from the session variable 'key') on to an image, which in this script has to be /images/bg.png

Improvements that can be made

There are several improvements that can be made, like the ones mentioned above.The most important one of them all, is the one about the visual impaired, as they will not be able to view an image.

The access keys for this page are: ALT (Control on a Mac) plus: is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.