#1
  1. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,989
    Rep Power
    375

    Validation/verification


    Can someone point me to a direction on how to verify user input?

    I mean i can do validation to make sure people do not put £ $ etc but how do i know it is real?

    for example: First Name, last name i can put AOIJD and it is not real?
    similarly with emails/telephone etc?

    (emails i know i can do domain lookups, but companies like brite verifyer do an actual email look up so how on earth can they do that if email providers like hotmail do not give an invalid response?)
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,464
    Rep Power
    594
    Verifying email is a non-trivial process. Here are the steps:
    1) extract the domain from the address
    2) look up the mail server for that domain (MX records)
    3) establish a connection to that mail server on port 25. There can be multiple servers returned by 2 so if the highest priority server is not responding you can work you way down the list.
    4) issue the HELO command
    5) issue the FROM command
    6) issue the VRFY command
    7) save the response
    8) issue the QUIT command
    9) take appropriate action based on response

    Verifying phone numbers is unreliable at best. There are web sites that will do that but the accuracy is questionable.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    all those "validations" of email addresses, telephone numbers etc. are useless without checking the identity of the user.

    I mean, I can give you a perfectly valid email address and telephone number. That doesn't mean they're actually mine. You won't know until you call me and send me a mail and have me somehow verify my identity.

    So forget this idea of "magical validations". If you're bound to PHP and JavaScript, the best you can do is verify the plausbility of the data (except the email address, which you can validate with a confirmation link).
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,989
    Rep Power
    375
    what i meant is i want to stop people from typing in: ""aaaaa" but something like John will pass as it is "valid" even though it may not be your real name.

    GW15S0E:

    I did that before but for hotmail, they did not give me any response..
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,464
    Rep Power
    594
    Originally Posted by paulh1983
    GW15S0E:

    I did that before but for hotmail, they did not give me any response..
    [/QUOTE]
    Did what for hotmail and did not get what response?
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,464
    Rep Power
    594
    Originally Posted by paulh1983
    GW15S0E:

    I did that before but for hotmail, they did not give me any response..
    Did what with hotmail and did not get back what response?

    In any case, Jaques1 had the more common solution of using confirmation emails.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    @paulh1983:

    I don't really understand what you're trying to do. What's the exact purpose of those plausibility checks? Why do you put so much effort into that?

    "Honest" users will continue to enter true data, and "dishonest" users will continue to make data up. The only difference is that you'll get "John Doe" instead of "qwerty". How's that any better?

    In general, validation has two purposes in my opionion: catching typos and motivating "lazy" users to not leave out fields. For example, a user might have skipped the email field, because he doesn't remember the address from the back of his head. An error message might get him to go back and enter the correct address.

    Regular expressions are a good tool for that. SMTP sessions and gigantic name databases aren't.

    The only sensible purpose I can think of is when you sell this data and need it to "look good" in order for the buyer to accept it. But it any other case, it's just a total waste of time and resources. There's a reason why this SMTP checking stuff is pretty rare.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    "Honest" users will continue to enter true data, and "dishonest" users will continue to make data up.
    This is the ultimate truth when it comes to validation. You cannot get around this fact no matter how much code you write.

    You cannot validate the accuracy of the information given to you by the user unless you have a database of information that you already know is accurate, or you use some 2-factor validation process that involves the user.

    Did what for hotmail and did not get what response?
    I assume he means that he implemented the steps in post #2 for email verification. It makes sense for large mail providers to not return a useful response at step 7, because a useful response there is also useful to spammers who are trying to find valid accounts. I would not be surprised to see a provider return a useless response regardless of whether the email is valid or not. Additionally, a significant number of mail servers are set up with catch-all emails, so the mail server will accept the mail for delivery regardless of the existence of the address.

    what i meant is i want to stop people from typing in: ""aaaaa" but something like John will pass as it is "valid" even though it may not be your real name.
    Can you pragmatically define an accurate set of rules that determine valid names from invalid names? No. No one ever has, and no one ever will. Names are too complicated.

    ----

    A lot of information can be verified with a 2-factor validation process:
    * emails - send a validation email, ask the user to click on a link in it
    * phone numbers - send the user a text or call them, ask them to enter the value you send
    * credit cards - charge two small amounts, ask the user to enter the charged amounts
    * names / addresses - ask the user to submit a drivers license or utility bill

    ----

    If you have a massive database of valid personal information, you can use that to help with validation. That is what companies like BriteVerify do. They take the information you give them, try to find a match in their database for a person that they think is you, and then compare the information you entered against the information they have stored for "you" and throw an error if there are any differences.

    For example, if you entered the right name and zip code, there's a pretty solid chance of them being able to locate a record with just that; and then the rest of the record is used to validate the other fields.

    There are problems with this method though:
    * Large, accurate and updated databases of personal information are very expensive to buy (despite the fact that almost all of the information in them is free)
    * Maintaining your own large, accurate and updated database of personal information is even more expensive
    * All databases only cover a subset of real people
    * All databases contain errors
    * These types of databases are very large (tens to hundreds of gigabytes) and computationally very expensive to search

    ----

    So, ultimately, to answer your question:
    Code:
    Can someone point me to a direction on how to verify user input?
    * You validate whether the value entered has the right syntax. For names, this means if(!empty($name)).
    * If you need to validate the accuracy of information, you use a third party service or 2-factor validation if the type of data you're validating supports it.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,989
    Rep Power
    375
    Originally Posted by Jacques1
    @paulh1983:

    I don't really understand what you're trying to do. What's the exact purpose of those plausibility checks? Why do you put so much effort into that?
    well at the moment, the company i work for have different forms, where user input the data. Now at the moment my colleague (non techie) get all this data in an excel file and she has to manually go through this list (can be 10000s of records) to get rid of email, names etc that look like rubbish. and this takes time and is tedious and boring

    So i wanted to help her by writing a script that read those records and then took out (or marked) spam info/record.
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    I see. In other words: You need the data to look legit so that your boss/client is satisfied and your collegue no longer has to "prettify" it by hand?
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,989
    Rep Power
    375
    lol i guess so, as long as there are no asdad asdasd dasd@asd.com type entries. i actually have no idea what happens with those emails, names etc...but yeah we probably send them to client etc.

    I assume he means that he implemented the steps in post #2 for email verification.
    yes you are right, this is what i meant.

IMN logo majestic logo threadwatch logo seochat tools logo