Category Archives: PHP

Mostly this will cover PHP 5.x, but also later incantations of PHP 4.x

A Multi-Use Form Nonce Written In PHP

Previously I wrote about creating a single-use nonce — that is, a unique token that ensures a form was created on your Web server, and hasn’t been previously used — by leveraging MySQL.

That’s useful when you not only need to be sure your server created a form, but also when you need to ensure the form cannot be resubmitted; for example, if you’re taking a order and don’t want to double-process it.

Sometimes, all you need to do is ensure that you created the form. There’s no harm in submitting it twice, or at least the damage would be minimal; for example, you’re asking a user to select some set of criteria, and on that basis, you’ll fetch some database records and show the results.

In those cases, all you really need to do is create a random string of characters and numbers, in a pattern known only to you, and encrypt that string so that all but the most determined cracker cannot easily replicate the pattern.

To that end, we’ll use mcrypt and a couple of functions to both encrypt and decrypt a string, and pass that back and forth in a hidden text field.
Continue reading

A Simple Form Nonce Security Routine Written In PHP

One Web security task that slips through the cracks, even for experienced developers, is ensuring your forms originate on your server, through the use of a nonce, or a one-time, unique identifier for your form.

Why is this important?

  • A favorite attack vector is to duplicate forms on a remote server, and attempt cross-site scripting (XSS) attacks that way. It’s far more convenient to me to write a curl routine that varies up the junk inputs I’m trying to run on my own server, than to run a bot that fills out the target form on its own host.
  • Ensuring your form is submitted only once is most easily managed if you generate a unique identifier, created every time your form is created, and storing that identifier in some persistent data store; namely, a database, XML file or the like.
  • A unique identifier for your form gives confidence your form contains what you expect. We can’t be absolutely sure that a properly formed nonce means your form is 100 percent pristine — we still need to check all inputs are present and contain what we expect — but we can usually begin our security checks by seeing if the nonce is present and well-formed, before doing things that constitute heavy lifting, such as sanitizing other inputs, doing calculations on them and rendering up a response or additional steps.

There are a lot of ways to create a nonce, and how best to proceed depends on what goal you have.

Sometimes, you just need to ensure the form originated on your site; it doesn’t need to be one-time use. Other times, you need to be absolutely certain the form is only submitted once. And occasionally, you need to time-limit when a form can be submitted.

I’ll start by addressing the middle requirement first: A one-time-use nonce, which isn’t time-limited (that is, the nonce can be used anytime, but once used, can’t be recycled). In upcoming blog posts, I’ll address the other two methods.

Continue reading

Getting The Sunday And Saturday Of The Current Week In PHP

Here’s a quick little routine to get the Sunday and Saturday — that is, the start and end — timestamps for the current week in PHP.

In other words, given today — Friday — I want to figure out the date / Unix timestamp on which the week began (Sunday, or five days ago) and ends (Saturday, or tomorrow).

The algorithm is the same for all programming languages.

  • There are 7 days in a week. In C-like languages, such as PHP and JavaScript, they are usually indexed from 0 (Sunday) to 6 (Saturday).
  • Finding Sunday, therefore, is straightforward: Just subtract the index number of days from today’s date.
  • Saturday is more complex: We need to subtract whatever today’s index is from 6, and then add that number of days to today’s date.

Let’s take a look at an example: Today is Friday. Therefore, Sunday is 5 (Friday’s index) days previous to today. And Saturday is {6 (Saturday’s index) – 5 (Friday’s index)}, or one day, ahead.

Expressed as math, where today’s index is 5, for Friday:

5 - 5 = 0 // Friday's index - Friday's index = Sunday's index
(6 - 5) + 5 = 6 // (Saturday's index - Friday's index) + Friday's index = Saturday's index

Continue reading

How To Increment A Counter In MySQL Based On A Radio Button Click

Asked recently on Formspring:

how to increment count in database on clicking radio button

There are a few ways to go about this. I’ll demonstrate two: a traditional, PHP / MySQL only, postback approach, and a jQuery version that uses AJAX to asynchronously record and update the counts.

Just to be clear: In order to complete this solution, we have to use both JavaScript and a server-side scripting language. We use JavaScript to intercept the user clicking the radio button, but process the fact that the button was clicked on the server.

Also, for the purpose of this tutorial, I’ll assume that the radio button involved is part of a group. That is, we have several radio buttons, all with the same name, but different values, e.g.:

<form id="myform" name="myform" method="post">
	<p>Select a color:</p>
	<label id="l_red"><input type="radio" id="r_red" name="color_name" value="red" />Red</label> (<label id="c_red">0</label>) | 
	<label id="l_green"><input type="radio" id="r_green" name="color_name" value="green" />Green</label> (<label id="c_green">0</label>) | 
	<label id="l_blue"><input type="radio" id="r_blue" name="color_name" value="blue" />Blue</label> (<label id="c_blue">0</label>) | 
	<label id="l_black"><input type="radio" id="r_black" name="color_name" value="black" />Black</label> (<label id="c_black">0</label>)
</form>

Continue reading