CHAPTER 6 Forms and User Input 112 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s 112 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s E ven with the growth in Web 2.0 Ajax techniques, most people still interact with web sites using forms. They are a tried and tested means of obtaining user input and are likely to retain an important position for a long time to come. Receiving user input is all well and good—that’s the easy part. But turning that input into usable and secure data is another matter. In this chapter, you’ll find a collection of solutions for helping you with expression evaluation, validation of credit card details, e-mail addresses and text strings, identifying spam, preventing automated input from “bots,” and ways of supporting user-supplied text formatting. Evaluate Expression You might think that offering support for evaluating expressions would be a simple matter of calling the PHP eval() function with a user supplied input. Unfortunately, though, eval() is an extremely powerful function that will interpret any string supplied to it as if it were a PHP program; using it could completely open up your web site to any intruder with a minimum of PHP knowledge. However, with this plug-in the user input is completely sanitized by stripping out any characters and functions that are not safe, leaving only a selection of 22 mathematical functions and the basic math operators (plus, minus, multiply, and divide), and only then is the input passed to eval(). Figure 6-1 shows a variety of expressions being calculated. About the Plug-in This plug-in accepts a string containing a mathematical expression and returns the result of evaluating it. It takes this argument: • $expr A string containing an expression Variables, Arrays, and Functions $f1 Array containing the 22 mathematical function names supported $f2 Array containing tokens that the function names are temporarily converted to FIGURE 6-1 This plug-in enables powerful calculator functionality on your web site. 31 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 113 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 113 How It Works To allow the use of PHP’s build-in eval() function, it is necessary to remove any harmful expressions before passing them to the function. To achieve this, the array $f1 contains 22 function names (out of the hundreds supported by PHP) that are considered safe. Using the $f2 array, which contains a matching set of tokens, any of the 22 functions found in the argument $expr are converted to a corresponding token. This means that any remaining alphabetical characters may form other function names and therefore are stripped out. The preceding is achieved by first converting the string $expr to lowercase using the function strtolower() and then employing str_replace() to replace all occurrences of the allowed function names with their tokens. Next preg_replace() is called to strip out anything remaining that is not required, using the regular expression /[^\d\+\*\/\-\.()! ]/. Okay, I know it looks like I just dropped the keyboard on the floor but this is actually a powerful expression which I’ll now break up for you. The outer / characters denote the start and end of a regular expression. The square brackets, [], state that a match should be made against any single character enclosed within them. The ^ symbol, when immediately following a [ symbol, forces negation, so that the expression will match anything that is not one of the characters following. Next comes a sequence of characters, which are all escaped by prefacing them with a \ symbol, because otherwise they would be interpreted as special regular expression operators: • \d Any digit (0–9) • \+ An addition symbol • \* A multiplication symbol • \/ A division symbol • \- A subtraction symbol • \. A decimal point symbol So, if any symbol is not one of these escaped symbols, it will be considered a match and the second argument to preg_replace(), '', will replace it with nothing—in other words, the symbol will be removed. Finally, a few other symbols are also allowed through. These are the left and right brackets, the comma, the exclamation mark, and a space. You might wonder why the exclamation mark is allowed within a mathematical expression. Well, the answer isn’t that the exclamation mark is needed for use in expressions, because it isn’t. Instead, it’s there because it forms part of each of the 22 tokens in the array $f2. Once the mathematical functions have been converted to tokens, the ! symbols remain there so that the tokens can be converted back again after stripping the remaining unwanted characters out, which is done using another call to the str_replace() function. I chose the exclamation mark at random and could equally have used any one of many other symbols. After all this processing, the resulting sanitized string is passed to the eval() function, the result of which is returned to the calling statement. If you wish to see what the sanitized expression looks like, you can uncomment the line shown in the source code. 114 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s 114 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s How to Use It To evaluate a user-supplied expression, just call the function PIPHP_EvaluateExpression(), passing the expression to be calculated, in the following manner, which calculates the area of a circle with a radius of 4: echo PIPHP_EvaluateExpression("pi() * pow(4, 2)"); The Plug-in function PIPHP_EvaluateExpression($expr) { $f1 = array ('abs', 'acos', 'acosh', 'asin', 'asinh', 'atan', 'atan2', 'atanh', 'cos', 'cosh', 'exp', 'expm1', 'log', 'log10', 'log1p', 'pi', 'pow', 'sin', 'sinh', 'sqrt', 'tan', 'tanh'); $f2 = array ('!01!', '!02!', '!03!', '!04!', '!05!', '!06!', '!07!', '!08!', '!09!', '!10!', '!11!', '!12!', '!13!', '!14!', '!15!', '!16!', '!17!', '!18!', '!19!', '!20!', '!21!', '!22!'); $expr = strtolower($expr); $expr = str_replace($f1, $f2, $expr); $expr = preg_replace("/[^\d\+\*\/\-\.(),! ]/", '', $expr); $expr = str_replace($f2, $f1, $expr); // Uncomment the line below to see the sanitized expression // echo "$expr<br />\n"; return eval("return $expr;"); } Validate Credit Card Sometimes people make mistakes when entering credit card numbers in web forms, or even just make numbers up to see what will happen. Using this plug-in you can at least ensure that a credit card number and expiration date you have been provided with has an acceptable number sequence, a correct checksum, and a valid expiration date. This enables you to only pass on sensible-looking details to your card pr ocessing organization, and possibly limit any additional fees that may be charged. In Figure 6-2 you can see a made-up card number that has not validated. About the Plug-in This plug-in accepts a credit card number and expiration date and returns TRUE if they validate, otherwise it returns FALSE. It takes these arguments: • $number A string containing a credit card number • $expiry A credit card expiration date in the form 07/12 or 0712 32 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 115 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 115 Variables, Arrays, and Functions $left String containing the left four digits of $number $cclen Integer containing the number of characters in $number $chksum Integer containing the credit card checksum $j Loop counter $d Character containing individual digits extracted from $number How It Works In the 1950s, Hans Peter Luhn, a scientist working at IBM, created the Luhn checksum algorithm, also known as the modulus 10 or mod 10 algorithm. It will detect any single-digit error, as well as almost all transpositions of adjacent digits in a string of digits. This makes it very useful for verifying whether a credit card number has been successfully entered by using the simple method of adding a checksum digit at the number’s end. All major credit companies use this system, and so can we. The first thing the plug-in does is remove any non-digit characters from $number; the same is done for the expiration date in $expiry. Then, the contents of the first four digits of $number are placed in the variable $left, the length of $number is placed in $cclen, and $checksum is initialized to 0. Each card issuer has their own initial sequences of numbers, and card number length can vary between 13 and 16 digits depending on the issuer. So, using the contents of $left, the next main section of code looks up the type of card and, based on the result, returns FALSE if $number does not contain the correct number of digits for that card. Once all the known sequences of initial digits have been processed, if no card has yet been matched, then FALSE is returned because $number represents the number for a card type the program is unaware of—most likely it’s a made-up number. Otherwise, the card type has been identified and $number has been found to have the right number of digits, so the next portion of code runs the Luhn algorithm to see whether the sequence of numbers appears valid. It does this by checking alternate digits and adding them together in a pre-set manner. If the result is exactly divisible by 10, then the sequence is valid. If not, FALSE is returned. Lastly, the expiration date is checked against the date of the last day of the current month, and if the card has expired, FALSE is returned. If all these tests pass, a value of TRUE is returned. FIGURE 6-2 Credit card numbers have a built-in checksum that this plug-in will validate. . being calculated. About the Plug- in This plug- in accepts a string containing a mathematical expression and returns the result of evaluating it. It takes this argument: • $expr A string containing. containing the left four digits of $number $cclen Integer containing the number of characters in $number $chksum Integer containing the credit card checksum $j Loop counter $d Character containing. strings, identifying spam, preventing automated input from “bots,” and ways of supporting user-supplied text formatting. Evaluate Expression You might think that offering support for evaluating