On PHPBuilder.com, there's a new tutorial about validating user sessions - ensuring that data in your user's sessions is valid and isn't an attack trying to sneak in.

In a nutshell, sessions are the way that we "maintain state" from one page to the next, that is, how we identify specific users across multiple page requests. The ability to track users as they go from one page to the next using sessions allows us a number of options, such as tracking where they are going (web statistics) or to verify credentials for a specific section of the site.

First, there's a little mini-intro to sessions for those unsure on their use. It's followed by a look at some session vulnerabilities that could be introduces by malicious users looking to break things on your site (including HTML/Javascript injection, as their example shows).

They recommend a three step plan to get started with the validation of your user's sessions - making it easy for users to log out when they want to, use unique aspects of the remote machine to define the session and to validate all user input, especially things that will be put into a session variable.

Rob Allen has posted an example (a simple one to get you started) of creating a file upload form in the Zend Framework.

Zend Framework 1.5's Zend_Form component is missing support for the file input element as it is waiting on a file upload component to build upon. We're busy people, so we'll fake it...

His example gives a screenshot of the end result and includes all of the code needed to make it all work - the form, the custom file form element, a ValidFile validation class to ensure you're getting exactly what you want and the controller to define the form and execute it once the user submits.

The WebReference.com website has an introductory tutorial showing the budding PHP develper how to get started with one of the keys to web application interaction - forms.

Forms are how your users talk to your scripts. To get the most out of PHP, you must master forms. The first thing you need to understand is that although PHP makes it easy to access form data, you must be careful of how you work with the data.

The first part of the tutorial is focused on something many applications don't worry about - the security and integrity of the data submitted to them. They talk about things like filtering and various other checks to ensure that the data you're getting is good. They also mention the method for putting submitted values into PHP arrays, checking for valid values, using multiple submit buttons and an example of some of these methods all put together - validating a credit card number.

On his blog today, Vinu Thomas has an example of what he calls a "quicker and cleaner form" using the Zend_Form component of the Zend Framework.

Usually handing forms involves coding the form in HTML and performing client and server side validation, which usually makes the code for complex forms quite unwieldy. Zend_Form which is available in Zend Framework version 1.5 aims at simplifying this process.

With this new version comes the ability to add in methods for validation right into the form definition. His example shows a traditional login form that checks things like if it's required, checking the length and adding filters to modify the input.

The Zend Developer Zone has released part two of a series (here's part one posted back in November) looking at making forms for your website with the help of the PEAR HTML_QuickForm class.

I'll be discussing some of the package's non-standard form elements, teaching you how to combine elements into groups, showing you how to apply templates to control a form's appearance, and guiding you through the process of writing and registering your own custom validation rules.

There's plenty of sample code and screenshots to go around in this second part including examples of form auto-completion, multi-select elements and and example of its integration with Smarty.

Ed Finkler has released the latest version of his Inspekt input filtering/output validation library for PHP5:

I've uploaded the 0.3 release of Inspekt, the input filtering and validation library for PHP4 and 5. With this release, Inspekt completes the goals of the original specification for the OWASP SpoC007 project. I believe it is ready for "real-world" use.

Along with the new code being released there's also more documentation, API docs, a PEAR channel and a mailing list.