Recent Technology News Blog, Washington DC Tech, DC Technology » Guest Submitted http://www.zonkio.com Up-to-date tech news blog that showcases recent web development insights, photography, and tech law articles. Washington, DC Metro based internet technology news blog. Fri, 30 Dec 2011 22:47:23 +0000 en hourly 1 http://wordpress.org/?v= Photo: Metro Center Against Black/White DC http://www.zonkio.com/photo-metro-center-against-blackwhite-dc_1561.html http://www.zonkio.com/photo-metro-center-against-blackwhite-dc_1561.html#comments Tue, 12 May 2009 13:16:17 +0000 Guest Submitted http://www.zonkio.com/?p=1561 Metro Center Station in Washington DC

Metro Center Station in Washington DC

]]> http://www.zonkio.com/photo-metro-center-against-blackwhite-dc_1561.html/feed 1 Metro Center Station in Washington DC Metro Center Station in Washington DC PHP, Common String Functions http://www.zonkio.com/php-common-string-functions_763.html http://www.zonkio.com/php-common-string-functions_763.html#comments Fri, 23 Jan 2009 21:59:56 +0000 Guest Submitted http://www.zonkio.com/?p=763 There are always those functions that you need to manipulate strings for whatever reason. Maybe it”s for validation purposes or sanitizing purposes or some kind of string conversion or searching. Here is a class that encapsulates alot of common string functions that I use alot. All functions that start with “is” are boolean functions:

class string
{
/**
* Checks to see if string is only alphabetic
*
* @static
* @param string $value
* @param boolean $ignore_spaces
* @return boolean
* @category string
*/
static function isAlpha($value, $ignore_spaces = false)
{
if (!isset($value{0}))
{
return false;
}
if ($ignore_spaces)
{
$value = str_replace(" ", "", $value);
}
return ctype_alpha($value);
}
/**
* Checks to see if string only contains letters and numbers
*
* @static
* @param string $value
* @param boolean $ignore_spaces
* @return boolean
* @category string
*/
static function isAlphaNum($value, $ignore_spaces = false)
{
if (!isset($value{0}))
{
return false;
}
if ($ignore_spaces)
{
$value = str_replace(" ", "", $value);
}
return ctype_alnum($value);
}
/**
* Checks to see if a string is a hex
* @param string $value
* @return boolean
*/
static function isHex($value)
{
if (!isset($value{0}))
{
return false;
}
return ctype_xdigit($value);
}
/**
* Checks to see if a string is numeric
*
* @static
* @param string $value
* @param boolean $ignore_spaces
* @return boolean
* @category string
*/
static function isNumeric($value, $ignore_spaces = false)
{
if (!isset($value{0}))
{
return false;
}
if ($ignore_spaces)
{
$value = str_replace(" ", "", $value);
}
return ctype_digit($value);
}
static function isDate($value)
{
if (!isset($value{0}))
{
return false;
}
if (strtotime($value) !== false)
{
return true;
}
else
{
return false;
}
}
/**
* Checks to see if string is a valid phone number
*
* @static
* @param string $value
* @return boolean
* @category string
*/
static function isPhone($value)
{
if (!isset($value{0}))
{
return false;
}
if(ereg("^([0-9]( |-)?)?(\(?[0-9]{3}\)?|[0-9]{3})( |-)?([0-9]{3}( |-)?[0-9]{4}|[a-zA-Z0-9]{7})$", $value))
{
return true;
}
else
{
return false;
}
}
/**
* Checks to see if a string is an email
*
* @static
* @param string $value
* @param boolean $check_domain
* @return boolean
* @category string
*/
public static function isEmail($value, $check_domain = false)
{
if (!isset($value{0}))
{
return false;
}
if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $value))
{
if ($check_domain == true)
{
list($userName, $mailDomain) = split("@", $value);
if (checkdnsrr($mailDomain, "MX")) {
return true;
}
else
{
return false;
}
}
return true;
}
else
{
return false;
}
}
/**
* Checks to see if a string is a valid zip code
*
* @static
* @param string $value
* @param boolean $extended
* @return boolean
* @category string
*/
static function isZip($value, $extended = false)
{
if (!isset($value{0}))
{
return false;
}
if (!$extended)
{
if(ereg("^[0-9]{5}$", $value))
{
return true;
}
else
{
return false;
}
}
else
{
if(ereg("^[0-9]{5}$", $value) || ereg("^[0-9]{5}-[0-9]{4}$", $value))
{
return true;
}
else
{
return false;
}
}
}
/**
* Validates credit card number
*
* @static
* @param string $value
* @return boolean
* @category string
*/
static function isCreditCard($value)
{
if (!isset($value{0}))
{
return false;
}
if (ereg("(^(4|5)\d{3}-?\d{4}-?\d{4}-?\d{4}|(4|5)\d{15})|(^(6011)-?\d{4}-?\d{4}-?\d{4}|(6011)-?\d{12})|(^((3\d{3}))-\d{6}-\d{5}|^((3\d{14})))", $value))
{
return true;
}
else
{
return false;
}
}
/**
* Strips html out of a string
*
* @static
* @param string $value
* @category string
*/
static function stripHTML(&$value)
{
if (!isset($value{0}))
{
exit;
}
$breaks[] = "<br>";
$breaks[] = "<br />";
$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript
'@<style[^>]*?>.*?</style>@siU'    // Strip style tags properly
);
$value = preg_replace($search, '', $value);
$value = str_ireplace($breaks, "\r\n", $value);
$value = trim($value);
$value = strip_tags($value);
$value = html_entity_decode($value, ENT_QUOTES);
$value = addslashes($value);
}
/**
* Cleans out script tags out of HTML
*
* @static
* @param string $value
* @category string
*/
static function cleanHTML(&$value)
{
$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript
'@<style[^>]*?>.*?</style>@siU'    // Strip style tags properly
);
$value = preg_replace($search, '', $value);
$value = htmlentities($value);
}
/**
* Encodes all non alpha numeric characters in a URL with the '%' sign
*
* @static
* @param string $url
* @return string
* @example string.php how to use;
* @category string
*/
static function UrlEncode($url)
{
if (strpos($url, '?') === false)
{
return $url;
}
else
{
$startpos  = strpos($url, "?");
$tmpurl    = substr($url, 0 , $startpos+1);
$qryStr    = substr($url, $startpos+1);
$qryvalues = explode("&", $qryStr);
foreach($qryvalues as $value)
{
$buffer    = explode("=", $value);
$buffer[1] = urlencode($buffer[1]);
$new_query_values[] = implode("=", $buffer);
}
$finalqrystr =implode("&", $new_query_values);
$finalURL    =$tmpurl . $finalqrystr;
return $finalURL;
}
}
/**
*
* @param $length
* @return string
*/
static function generateID($length)
{
$random_id_length = $length;
$rnd_id = crypt(uniqid(rand(),1));
$rnd_id = strip_tags(stripslashes($rnd_id));
$rnd_id = str_replace(".","",$rnd_id);
$rnd_id = strrev(str_replace("/","",$rnd_id));
$rnd_id = substr($rnd_id,0,$random_id_length);
return $rnd_id;
}
}

This class has been documented using the phpdoc specification so that if you are using an IDE such as Eclipse PDT it will give you more direction. This class ecapsulates all of these functions and mimics namespaces for PHP. PHP 5.3 and above has namespaces as a part of the core of PHP, but for right now, static methods are the way to go for compatability sake.

]]> http://www.zonkio.com/php-common-string-functions_763.html/feed 0 The Javascript Injection Problem http://www.zonkio.com/the-javascript-injection-problem_685.html http://www.zonkio.com/the-javascript-injection-problem_685.html#comments Tue, 20 Jan 2009 20:50:58 +0000 Guest Submitted http://www.zonkio.com/?p=685 What is it?

Javascript injection is a commonly ignored security issue. Basically it is the idea that you can execute javascript in your address bar, or one of the numerous plugins that accompany web browsers such as greasemonkey, to change the DOM in any way you wish. So whats the big deal? Well the bottom line is that there really shouldn’t be a big deal. This should not affect your web application in any way if you develop it right. However, there is alot of problems if you don’t understand the weakness.

A Scenario

I recently was working with a e-commerce form. The form had alot of hidden inputs and one of them being “price”. The issue with this is the fact that it is very easy to change
anything in the DOM. For instance, lets say you are a user that is using the ecommerce form to purchase something. You see in the code that you have:

<form method='post' action='process.php'>
<input type='hidden' name='price' id='price' />
<input type='submit' value='Buy' />
<form>

Assuming (of course) there is more fields in this form; the most interesting one – as a hacker – would be the “price” field. This indicates that the processing script depends on the html field (which is coming from the client) to process the price. So we (the hacker) now have a way to change this. Simply type:

javascript: document.getElementById('price').value = .01

in the address bar and hit “enter”. This changes the price from 300 to .01 and since the server script depends on this field, you will be charged 1 penny instead of $300. This is great news if your a hacker, but very bad news if your the web developer.

The Ramifications

The ramifications for a developer is that you must take care to only receive data from the client that you absolutely need from the client. There is a lot of data that should be managed by sessions or database and not be sent to the client as this could be easily be modified by anyone.

]]> http://www.zonkio.com/the-javascript-injection-problem_685.html/feed 0