I've noticed that Richard Heyes, who professes himself to be a php guru, deleted my comment on his "Some common regular expressions" posting which simply pointed out his expressions didn't quite do the job and suggested a few PEAR packages that should be used instead of the expressions that he proffered

His examples have the benefit of what he calls "defense in depth" - the functionality to catch a bit more than just a regular expression can alone. His examples include PEAR_Validate for email addresses, Net_CheckIP2 for IP addresses and the Validate_UK package for the sort code and telephone numbers.

From the company's description:

Securimage is an open-source free PHP CAPTCHA script for generating complex images and CAPTCHA codes to protect forms from spam and abuse. It can be easily added into existing forms on your website to provide protection from spam bots. It can run on most any webserver as long as you have PHP installed, and GD support within PHP.

Features of the tool include simple addition and validation methods, the ability to make audible CAPTCHAs and True Type font support. You can download the software from the project's website.

In a nutshell, sessions are the way that we "maintain state" from one page to the next, that is, how we identify specific users across multiple page requests. The ability to track users as they go from one page to the next using sessions allows us a number of options, such as tracking where they are going (web statistics) or to verify credentials for a specific section of the site.

First, there's a little mini-intro to sessions for those unsure on their use. It's followed by a look at some session vulnerabilities that could be introduces by malicious users looking to break things on your site (including HTML/Javascript injection, as their example shows).

They recommend a three step plan to get started with the validation of your user's sessions - making it easy for users to log out when they want to, use unique aspects of the remote machine to define the session and to validate all user input, especially things that will be put into a session variable.

Zend Framework 1.5's Zend_Form component is missing support for the file input element as it is waiting on a file upload component to build upon. We're busy people, so we'll fake it...

His example gives a screenshot of the end result and includes all of the code needed to make it all work - the form, the custom file form element, a ValidFile validation class to ensure you're getting exactly what you want and the controller to define the form and execute it once the user submits.

Forms are how your users talk to your scripts. To get the most out of PHP, you must master forms. The first thing you need to understand is that although PHP makes it easy to access form data, you must be careful of how you work with the data.

The first part of the tutorial is focused on something many applications don't worry about - the security and integrity of the data submitted to them. They talk about things like filtering and various other checks to ensure that the data you're getting is good. They also mention the method for putting submitted values into PHP arrays, checking for valid values, using multiple submit buttons and an example of some of these methods all put together - validating a credit card number.

Usually handing forms involves coding the form in HTML and performing client and server side validation, which usually makes the code for complex forms quite unwieldy. Zend_Form which is available in Zend Framework version 1.5 aims at simplifying this process.

With this new version comes the ability to add in methods for validation right into the form definition. His example shows a traditional login form that checks things like if it's required, checking the length and adding filters to modify the input.

I'll be discussing some of the package's non-standard form elements, teaching you how to combine elements into groups, showing you how to apply templates to control a form's appearance, and guiding you through the process of writing and registering your own custom validation rules.

There's plenty of sample code and screenshots to go around in this second part including examples of form auto-completion, multi-select elements and and example of its integration with Smarty.

I've uploaded the 0.3 release of Inspekt, the input filtering and validation library for PHP4 and 5. With this release, Inspekt completes the goals of the original specification for the OWASP SpoC007 project. I believe it is ready for "real-world" use.

Along with the new code being released there's also more documentation, API docs, a PEAR channel and a mailing list.