business logic and sql sanitization

hutchic

I'm trying to create one function (or a proxy function/class) for all business logic and sql sanitization.

$fields = array("username" => "text", "password" => "password", "number" => "number");
$insertValues = array("username" => "user1", "password" => "pass1", "number" => 5);
$min = array("username" => 5, "password" => 6, "number" => 0);
$max = array("username" => 10, "password" => 10 "number" => 100);

function validate($fields, $insertValues, $min, $max, $sql_safe){
	$insertValues = "";
	$errors = "";
	while(list($fieldName, $fieldType) = each($fields)){
		if($fieldType == "int"){
			$valueList[$fieldName] = intval($insertValues[$fieldName]);
			if($valueList[$fieldName] != $insertValues[$fieldName]){
				$errors[$fieldName] = "illegal characters found";
			}if((($min[$fieldName] != '') && ($valueList[$fieldName] < $min[$fieldName])) || (($max[$fieldName] != '') && ($valueList[$fieldName] > $max[$fieldName]))){
				$errors[$fieldName] = "wrong size";			
			}else{
				$errors[$fieldName] = "ok";
			}
		}else if($fieldType == "float"){
			$valueList[$fieldName] = floatval($insertValues[$fieldName]);
			if($valueList[$fieldName] != $insertValues[$fieldName]){
				$errors[$fieldName] = "illegal characters found";
			}if((($min[$fieldName] != '') && ($valueList[$fieldName] < $min[$fieldName])) || (($max[$fieldName] != '') && ($valueList[$fieldName] > $max[$fieldName]))){
				$errors[$fieldName] = "wrong size";			
			}else{
				$errors[$fieldName] = "ok";
			}		
		}else{
			$valueList[$fieldName] = preg_replace("/[^a-zA-Z0-9]/", "", $insertValues[$fieldName]);
			$length = strlen($valueList[$fieldName]);	
			if($valueList[$fieldName] != $insertValues[$fieldName]){
				$errors[$fieldName] = "illegal characters found";
			}if((($min[$fieldName] != '') && ($length < $min[$fieldName])) || (($max[$fieldName] != '') && ($length > $max[$fieldName]))){
				$errors[$fieldName] = "wrong size";			
			}else{
				$errors[$fieldName] = "ok";
			}	
		}if($sql_safe){
			$valueList[$fieldName] = "'".mysql_real_escape_string($valueList[$fieldName])."'";
		}
	}
	$temp["error"] = $error;
	$temp["valueList"]  = $valueList;
	return $temp;
}

Its not quite complete but I thought I'd post what I have so far and get some input/feedback. I intend on adding more business logic ie phone number, postal code validation et al.

Weedpacket

Dunno why you'd want to mix field validation with business logic ... but then I don't see any business logic (e.g., "Shipments within the metropolitan are sent via City Couriers, long distance via National Freight", "Lost Island deliveries are made weekly, others go out daily", "orders for less than one shipping unit are to be picked up by the purchaser", etc.) here.

hutchic

To reiterate:

Its not quite complete but I thought I'd post what I have so far and get some input/feedback. I intend on adding more business logic ie phone number, postal code validation et al.

My app doesn't require the high level business logic you use as examples it's much more rudimentary postal codes, phone numbers etc

Shrike

You could think about splitting the various validation routines into seperate functions, or even classes. Currently you check to see what the input type is, this is implicit in the $fields array and so that could be used to select the correct routines.

You might want to have a look through the source code for PEAR::Html_quickform.

One thing you might notice is that since you already have the field definitions your only a few steps away from generating the input (e.g. HTML forms) automatically which can save alot of typing.

hutchic

I had a look at the PEAR::Html_quickform stole a number of ideas from it but I just find if I do stuff myself:
1) security by obscurity
2) I can modify it with my needs
3) the learning experience (this is a big one, I've met framework dependent people who just can't work without their framework of choice they don't know how to do things themselves anymore)

None the less could you direct me to some tutorials re: implementing/using quickform and perhaps a pear alternative (standalone/lightweight library ideally)?

various validation routines into seperate functions

yeah once it gets too large to handle or I have some need for a sanitize type X function.

I've found a few logic errors in the code the final else needs to differentiate between numbers and strings and use strcmp instead of != for strings and not use strlen for numbers and curiously enough

$valueList[$fieldName] = preg_replace("/[^a-zA-Z0-9]/", "", $insertValues[$fieldName]);
$length = strlen($valueList[$fieldName]);

$length never equals the length 🙁 (and die($valueList[$fieldName]) = a string fyi

Help appreciated

Weedpacket

hutchic wrote:
My app doesn't require the high level business logic you use as examples it's much more rudimentary postal codes, phone numbers etc

Which is my point: postcode/phone number/email formats aren't generally considered "business logic" (rules constructed by the business to control its operations); the same way that "car logic" (the contents of your car's user and maintenace manuals) tells you how to adjust the sensitivity of the collision avoidance radar, but not how to read a set of traffic lights.

hutchic wrote:
1) security by obscurity

As something to avoid on the grounds that it never works?

hutchic

Weedpacket wrote:
Which is my point: postcode/phone number/email formats aren't generally considered "business logic"

you say bananna I say banana why are we dwelling on this :glare:

Weedpacket wrote:
As something to avoid on the grounds that it never works?

That's one opinion. If a zero day exploit pops up for a widely used package(ie php-nuke) my app is boned.

6f1ed002ab5595859014ebf0951522d9 that an encrypted version of one of my passwords. Without me telling you the key or algorithm what's my password? See secuirty through obscurity 😉 ..... although your point is taken I don't rely or use it as a crutch secure programming takes precedence and my definition of security through obscurity does NOT mean hiding known vulnerabilities.

Weedpacket

Your definition of "business logic" seems to differ from industry conventions. Maybe your definition of "security through obscurity" does as well.

hutchic

Weedpacket wrote:
Your definition of "business logic" seems to differ from industry conventions. Maybe your definition of "security through obscurity" does as well.

yeah looks that way sorry for the confusion.... any input with "my" definitions :rolleyes:

Weedpacket

(Well, okay. I mean, I made a quick survey of the web to check my understanding of the terms hadn't drifted... I mean "security by obscurity" - I've seen people fired for that.)

Well, what Shrike said. Being able to specify all the validation criteria about a field in a single variable or array element would be more useful than splitting it across four, especially when some fields don't have to meet certain criteria (what do I put if I don't want a maximum length? 2147483647? Maybe using null default arguments and skipping tests will null criteria would help.)

Plus, you have further errors in your code: you initialise $errors to be a string, then use it as an array, but return $error (which isn't initialised) instead. You did read what this forum was about, didn't you?

Please only post finished code in this forum for which you would like to
receive criticism. If your code isn't working, or is buggy, ....

🙂