Category Archives: Security

Validate numbers in PHP without using is_integer() or is_numeric()

Posted by David Hurst on November 26, 2010 3 comments

One of the great features of PHP is its automatic typecasting of variables. You don’t need to tell PHP whether you are storing a string, a float or an integer value. This gives rise to some interesting error checking scenarios though. One of the simplest, is checking whether the value submitted from a form is numeric or not.

Annoyingly, every value submitted from a form is classed as a string in PHP. That doesn’t stop you performing calculations on the submitted value as if it were a number, but it does mean that is_integer() will always return false for that value. The PHP manual advises us to use is_numeric() instead, however is_numeric() and is_integer() are very different. For example, is_numeric() is quite happy to accept any valid number, which can include minus values, floating points and exponential numbers. For error checking this can be pretty worthless. Let’s look at a couple of different scenarios:

Scenario 1: we are passing a database ID in a hidden INPUT tag, and we want to ensure that only a valid integer ends up in the subsequent database query.

We can actually typecast the variable as follows:

$id = (int)$_POST['id'];
or
$id = intval($_POST['id']);

Nice and simple. However, minus values can also be valid integers, and sometimes we don’t want those either. We could run two tests, but that’s not particularly elegant. So…

Scenario 2: we are passing a monetary value to a payment gateway and it has to be in the lowest currency denominater (e.g. £10.53 becomes 1053). In this scenario, floating points, minus symbols and exponentials are all unacceptable.

The simple answer is regular expressions (regex) using preg_match.


if(!preg_match("/^[0-9]+$/", $_POST['amount']) {
// not valid
} else {
// valid
}

SORBS – The Internet police no-one appointed

Posted by David Hurst on December 16, 2008 4 comments

Any web developer / ISP running their own web servers will know that, occasionally, you get some spam email being sent through your server(s) without your permission. This can be down to a newly found, and as yet un-patched, security hole, an insecure mail form script that one of your clients has kindly uploaded, or a virus on the computer of one of your SMTP users. Frankly, it can be caused by all sorts of things, and even with the best will in the world, it’s very difficult to stop it happening in an environment where users have access to your server in any shape or form.

In between the above happening and you becoming aware of the problem, complaints about your IP address may have been submitted to a black list service. There are lots of these services around and they feed spam filtration software and systems. Generally, if you get blacklisted, you then just visit the website of the service in question, enter your IP address and some basic details, and it will be removed from the list – usually immediately.

This system works. Some might wonder why the spammers themselves don’t just go in and delist themselves, and indeed there is nothing to stop them doing this. However, spammers will always continue to send spam and so will become immediately blacklisted again. Hence, it’s a complete waste of their time to do this, particularly when the vast majority of email users don’t have any active spam filtration. Remember also that most spammers send their mail through hijacked servers and computers, and therefore it’s not their own IP addresses being blacklisted anyway.

Today, I realised this had happened on one of our servers and that it had been blacklisted with SORBS. I followed the hugely convoluted process on their website of trying to get the IP address de-listed and finally got presented with a message telling me that SORBS would not de-list my IP unless I paid a ‘fine’ of $50 to a charity of their choice.

What?! Who the hell do they think they are???

This is little more than kidnap and ransom. SORBS have absolutely no right whatsoever to charge any kind of fine, inverted commas or otherwise. They certainly do not have the right to coerce people into donating money to a charity that they may not themselves support.

Will I pay the $50? Hell no! I’ll just change the IP address – they are free after all.

Will I ever use a spam filtration system that queries the SORBS database? Of course not, because a system that works in this way is never going to be worth a damn. In fact, most high-end filtration solutions do not query SORBS.

Spam is a scourge. Having some self-appointed police force punishing the ISPs is not the answer at all. SORBS use the analogy of a police speed camera on their website. This is a good analogy, because speed cameras rarely catch the real criminals either. No, this is just another bunch of self-absorbed, labotomised morons trying to make some kind of mis-guided statement without taking any time to actually think things through properly.

I strongly urge all ISPs and users to boycott this ludicrous bunch of jokers.

Secure Online Random Password Generator

Posted by David Hurst on March 3, 2008 3 comments

Regular readers of my blog may remember, or have used, my secure random password generator class. For those who aren’t PHP proficient, or just can’t be bothered to create the pages necessary, I’ve implemented it into a new website: www.random-password.net. I hope it proves useful.

The benefit of my class is that it generates passwords based upon a pattern, and you can make it generate upto 99 random passwords based on your pattern in a single click. The random-password.net website also stores a convenient cookie, so that it will remember your pattern each time you visit.

Let me have any comments or suggestions please, and I love to hear from you if my work has helped you in any way.

PHP Mail Script Security – Stop SPAM Vulnerabilities

Posted by David Hurst on August 16, 2006 None comments

Have you written any PHP scripts to handle email sending? The mail() function is one of the simplest and most useful of PHP’s in-built functions, but poorly written code can expose a huge vulnerability that allows your simple mail script to be hijacked by spammers. Read more »