LAMP with ·dotmanila » Application Security

Zend_Validate_StringEquals

jervin — Sat, 23 Jan 2010 14:54:23 +0000

If you ever wonder where that 'StringEquals' validator rule taken as example from the Zend_Filter_Input documentation page results in an error like below, well read again. It was clearly stated as 'hypothetical'.

Plugin by name 'StringEquals' was not found in the registry; used paths: Zend_Validate_: Zend/Validate/

Given such validator would be useful on a number of situations i.e. confirming passwords, emails, etc. I present to you my own version of the class.

 
class Zend_Validate_StringEquals extends Zend_Validate_Abstract
{
    const NOT_EQUAL	= 'stringNotEqual';
    const MISSING	= 'stringMissing';
 
    /**
     * @var array
     */
    protected $_messageTemplates = array(
        self::NOT_EQUAL	=> "%field1% and %field2% are not equal.",
        self::MISSING	=> "One or both strings are missing."
    );
 
    /**
     * @var array
     */
    protected $_messageVariables = array(
        'field1' => '_field1',
        'field2' => '_field2'
    );
 
    protected $_case = false;
    protected $_field1 = null;
    protected $_field2 = null;
 
    /**
     * Sets validator options
     *
     * @param  boolean $case
     * @return void
     */
    public function __construct($case = false)
    {
        $this->_case = $case;
    }
 
    /**
     * Defined by Zend_Validate_Interface
     *
     * Returns true if and only if the the 2 strings are equal
     *
     * @param  array $value
     * @return boolean
     */
    public function isValid($value)
    {
    	if(!is_array($value) OR sizeof($value) < 2) {
			$this->_error(self::MISSING);
    	}
 
    	$this->_field1 = array_shift($value);
    	$this->_field2 = array_shift($value);
 
        if($this->_case === true) $function = 'strcmp';
        else $function = 'strcasecmp';
 
        if(0 !== $function($this->_field1,$this->_field2)) $this->_error(self::NOT_EQUAL);
 
        if (count($this->_messages)) {
            return false;
        } else {
            return true;
        }
    }
}

Here is a sample test case. Validate password and confirm password elements represented by 'password' and 'cpassword' element names respectively.

 
$filters = array('password' => 'StringTrim', 'cpassword' => 'StringTrim');
$validators = array(
    'Password' => array(
        'presence' => 'required',
        array('StringLength',5,15),
        'fields' => 'password',
        'messages' => "Passwords must be between 5 and 15 characters in length."),
    'Confirm password' => array(
        array('StringEquals'),
        'fields' => array('password','cpassword'),
        'messages' => array(
            0 => array(
                Zend_Validate_StringEquals::NOT_EQUAL => "Passwords does not match.",
                Zend_Validate_StringEquals::MISSING => "Both password fields must be filled."))));
 
$inputdata = new Zend_Filter_Input($filter,$validators,$_POST,$options);

PCI Compliance

admin — Mon, 26 Oct 2009 03:32:33 +0000

It has not been long that I've become involved on many a client requests to make their servers PCI compliant. More often than not they would just pass onto us at least a 30 page report of what's needed to be done to become "PCI Compliant". This would often cause a short debacle between us and the clients since merely looking at the report and evaluating what is needed to be done on our part already costs our time.

The point of this article is how much should we get involved on getting our customers "PCI Compliant"?

From a customer's point of view, generally they would expect all the technical work necessary be done out of the report. From my point of view, this should not be the case. Security compliance is another box when it comes to web hosting, if the customers are employing a third party security company then they should do most of the leg work. We do not need to analyze pages of report that those security comapnies are supposed to be doing. We'd more than happy to get the customer compliant, but we only need the specific technical points to do our part. Yes, the customer gets confused at first when we throw back at them these ideas, fortunately they would get our point and point back to the security vendor then the vendor liasing directly back to us.

I'd hope there is a much more structured process between the security vendor, the customer and the hosting company. How about you, how have you been doing so far as a customer, vendor or a hosting company with your part on the PCI compliance process?

Stealing your RFID Enabled Cards

jervin — Mon, 02 Feb 2009 11:36:02 +0000

Security researcher Chris Paget recently drove around downtown San Francisco to clone RFID base Passports and Drivers Licenses using an inexpensive kit of wireless tools. More at theregister.co.uk:

Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses.

The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.

http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/