I have a CodeIgniter Captcha which I am validating using CodeIgniter form validation and a call back function for the rules. Below are the two methods inside my register Controller:
public function index(){
$this->form_validation->set_rules('user_name' , 'Username' , 'trim|required|max_length[32]');
$this->form_validation->set_rules('captcha' , 'Captcha' , 'trim|required|max_length[32]|callback_check_captcha');
$this->form_validation->set_rules('password', 'Password','trim|required|min_length[5]|max_length[12]');
$this->form_validation->set_rules('confirm_password', 'Confirm Password','trim|required|min_length[5]|max_length[12]|matches[password]');
$this->form_validation->set_rules('email', 'Email', 'trim|required|valid_email');
if ($this->form_validation->run()==FALSE){
//Captcha code
The call back is:
private function check_captcha($captcha_input){
// First, delete old captchas
$expiration = time() - 7200; // Two hour limit
$this->db->where('captcha_time < ', $expiration)
->delete('captcha');
// Then see if a captcha exists:
$sql = 'SELECT COUNT(*) AS count FROM captcha WHERE word = ? AND ip_address = ? AND captcha_time > ?';
$binds = array($captcha_input, $this->input->ip_address(), $expiration);
$query = $this->db->query($sql, $binds);
$row = $query->row();
if ($row->count == 0){
$this->form_validation->set_message('check_captcha', 'Captcha Fail');
return FALSE;
}else {
return TRUE;
}
}
The problem is users will be able to access the callback function using the URL (http://[::1]/ci/register/check_captcha). Although, in this case nothing significant is happening but I would like to learn to prevent this nonetheless. Generally, in CI I make functions private which doesn't allow users URL access. If I try making the check_captcha function private I get:
Message: Call to private method Register::check_captcha() from context 'CI_Form_validation
I understand form_validation is calling the callback from outside the register class. How can I restrict URL access to the controller in this case?
