OTT Variable Validation?

eastonch

Hey,

Building one of them funky IP -> Node scripts; here's an example (It's for a friend) .

http://nodelookup.mcprohosting.com/index.php

The idea of this; is to A) Allow customers to enter their IP of their server; and get an output of a node number which will then lead them to a service page to see what their node is doing, weather it's down or not; most likely a pingdom monitoring page or something.

I was just curious, I was writing the validation of data and came accross the filter_var($unIP, FILTER_VALIDATE_IP) function; now, when you think that PHP is now validating the inputted data to be an 'ip' is there any need to do MYSQL escapes?

I'm going to throw them in anyway, since it's just 'good' 'secure' practice to; however why have code there, that has no purpose? I picked the filter_var function over the regex function which would do the exact same because it's A) Cleaner and already verified, there's no need for regex validation if there's already a working function in the version of PHP I'm using (Latest 5).

Anybody have any views?

curtisg

A little off topic, but why would this be useful in any cases?

Second, I'd recommend code igniter, I believe codeigniter has some built in features that might help you, a key feature is the Form Validation which you can do for example:

$this->load->library('form_validation');
$this->form_validation->set_rules('email', 'Email', 'required|trim|xss_clean|callback_validate_credentials');

The code I posted above is some of the code I use in a login system.

You could try if you don't want to use CI:
htmlentities
mysql_real_escape_string
htmlspecialchars($var, ENT_QUOTES)
strip_tags

there is a lot more though. Simply goto php.net and search.

Wintereise

Use PDO prepared statements, sqli is automatically out of the equation.

CI is completely pointless for something as small as this. As for filter_var, it just checks placements of the dots, basically. [email protected] validates as email via FILTER_VALIDATE_EMAIL.

But yeah, it'll do.

eastonch

@CurtisG

It's a script that at most, takes around 40 lines including commenting.

There's no need for CI, and it's used for MinecraftHosts wanting to allow customers to input their IP, to locate the node their on, be this the Geolocation, Node name, or whatever, then direct them to the uptime graph from something like UTR or Pingdom, purely just to allow them to see if their server is down because of node outage or if it's another issue.

Would possibly save some labour time on tickets when a node goes down, ask them to scream at the node lookup instead of screaming at staff.

lbft

@eastonch said: The idea of this; is to A) Allow customers to enter their IP of their server; and get an output of a node number which will then lead them to a service page to see what their node is doing, weather it's down or not; most likely a pingdom monitoring page or something.

Sounds like a good way for a DDoS attacker to figure out which node to hit to prevent you from being able to just null the IP of the customer getting attacked.

Wunderbar

@Wintereise said: Use PDO prepared statements

^ This

@curtisg said: You could try if you don't want to use CI:

htmlentities
mysql_real_escape_string
htmlspecialchars($var, ENT_QUOTES)
strip_tags

^ No! Don't listen to @curtisg about PHP/SQL security.

sleddog

@Wintereise said: [email protected] validates as email via FILTER_VALIDATE_EMAIL

As it can be valid in a LAN context. FILTER_VALIDATE_EMAIL doesn't mean "valid email in an Internet context".

I'd continue to use FILTER_VALIDATE_IP and, as others suggest, PDO. 'Mysql escapes' are yesterday's news.

eastonch

@lbft

It wasnt exactly my idea to make it; it was requested by a friend. !

And I don't understand your statement, All it does it change a customers IP into the Node name; for example 'MCUSA1' or 'Sapphire' so they can go to the pingdom page and look for the name 'mcusa1' or 'sapphire' and see the uptime / downtime etc.

There's also going to be the reverse Node Name -> IP that I was asked for; no Idea why, possibly for staff to see where each IP is being allocated? Bit strange since it'll be imported through CSV anyway.

@sleddog thanks, I was more tempted by a simple Filter_Validate_Ip than multiple escapes / special char escaping through HTML.

Microlinux

Do yourself a favor and store IPs as longs in a database.

Wunderbar

@sleddog said: 'Mysql escapes' are yesterday's news.

And when PHP 5.5.0 will be released, they're deprecated: http://php.net/manual/en/function.mysql-real-escape-string.php.

Use PDO, it's database independent so you can use SQLite. MySQL is overkill for this.

sleddog

@Wunderbar said: Use PDO, it's database independent so you can use SQLite. MySQL is overkill for this.

True. The only caution is, remember that SQLite has no concept of users (username/password). Access depends primarily on directory & file ownership/permissions.

Wintereise

Another way would be using inet_pton (http://php.net/manual/en/function.inet-pton.php)

It returns false if the IP isn't valid.

So, something like this would probably work

public function validateIP ($IP)
{
     return inet_pton($IP) !== false;
}

You get the gist of it.