Deprecated: Function split() is deprecated in /mnt/home/cn/cn-web/songshu/lib/pages/DisplayBlogArticleList.php on line 36
Articles matching: security
Ninjas are deadly. Chipmunk Ninjas are just weird.
About this blog
Marc Travels
Marc on Twitter
JustLooking on Twitter

Marc Wandschneider is a professional software developer with well over fifteen years of industry experience (yes, he really is that old). He travels the globe working on interesting projects and gives talks at conferences and trade shows whenever possible.

My Publications:

My book, "Core Web Application Programming with PHP and MySQL" is now available everywhere, including

My "PHP and MySQL LiveLessons" DVD Series has just been published by Prentice-Hall, and can be purchased on Amazon, through Informit, or Safari


Popular Articles:

Top Tags:

Recent Comments:

cncool wrote:

GLint zeroOpacity = 0;
[[self openGLContext] setValues:&zeroOpacity forParameter:NSOpenGLCPS...
Posted to: Things I've learned about CoreImage (and Quartz, and OpenGL) in two weeks
May 10, 2009 | 09:07:35
Input validation in web applications - plain bad programming
By marcwan

It never ceases to shock me the number of websites I run into that will complain when I enter 206.555.1212 or 206-555-1212 for a phone number. Similar things abound for credit card numbers, social security numbers, and all sorts of other structured input. Some designers, in a completely useless attempt to allay users’ anger, will go so far as to put a message above the input box along the following lines:

phone numbers must be entered exactly as (xxx)xxx-xxxx

Others will provide input boxes divided up as follows:

They will then add varying amounts of script to try and help you move between the boxes as you enter input.

These hints and script tricks all completely miss the point, however, and are symptomatic of one simple thing: programmer laziness.

Your users, honestly, just want the following

This lets them type in the required input (here, a phone number) in whatever format they want. 206 555 1212, 2065551212, or 206 555.1212 should all be valid input. All one does when trying to force users to a specific format is risk the chance that they give up and go away. If your site is in the business of trying to get customers to give you money, this is doubly unforgivable on your part: it’s like begging the users to not sign up with you.

The real sad part is that this problem is so trivially avoided. The code required on the server to validate the input and filter out only those values that you want is rarely more than a few lines, and something you should be adding as part of input validation and security any way !

For example, here is how you’d get a 10 digit phone number in PHP:

function phone_num($pn)
    $x = 0;
    $output = '';
    while (($char = substr($pn, $x++, 1)) !== false)
        if (ctype_digit($char)) $output .= $char;

    if (strlen($output) != 10)
        throw new InvalidPhoneNumberException($pn);
        return $output;

Here is something similar in Ruby, which I have never programmed a line of before 10 minutes ago:


# i'm sure there's a way better way to do this.
phone_number = "20    6  555 12 12 "
x = 0
output = ""

phone_number.length.times do
    if phone_number[x, 1] == "0" \
       or (phone_number[x,1].to_i >= 1 and phone_number[x,1].to_i <= 9)
        output += phone_number[x,1]
    x += 1

if output.length != 10
  puts "invalid"
  puts output

And no complaining about the efficiency about either of above the scripts – if input validation of user entered forms is a serious performance bottleneck in your application, you’ve either got serious problems with your hardware or even more serious problems with your application (more likely).

So, do your users, yourself, and your application’s security a huge favour: just write the 10 dang lines of code to be unusually tolerant of input. Chances are, you’ve already got a library of these functions somewhere.

While we’re at it: + is a valid character in email addresses. is a very common and very valid email address. I’m talking to you Fidelity Investments.

[Read Rest of Article]
Jul 16, 2006 | 05:34:57
Program Execution in PHP: exec, system, passthru, and shell_exec, oh my!
By marcwan

PHP is a sufficiently rich programming environment that it is not common that I truly need to execute external programs on the server on which it executes. However, every once in a while, this situation does come along, and for these, it is important to understand the options that PHP provides, what their differences are, and their relative strengths and weaknesses.

There are four primary choices for executing external programs in PHP:

  • The system function.
  • The exec function.
  • The shell_exec function or its syntactic analogue, the backtick operator, ( ` ).
  • the passthru function.
[Read Rest of Article]
Copyright © 2005-2008 Marc Wandschneider All Rights Reserved.