PHP Datetime Security Risks and Prevention Explained
Date and Time in PHP with Security Considerations - Part 5
Foreword: In this part of the series, I talk about PHP Datetime Security Risks and Prevention.
By: Chrysanthus Date Published: 19 Jan 2019
Introduction
Risks are weaknesses from PHP or from you the programmer, that you may ignore; and attackers (hackers) would take advantage of.
The time() Function
The syntax is:
int time ( void )
This function returns the current time measured in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT).
Problem: Every call to the time function will generate an E_NOTICE if the time zone is not valid, and/or a E_STRICT or E_WARNING message if using the system settings or the TZ environment variable. Prevention: Be careful how you use the function.
The mktime() Function
The syntax is:
int mktime ([ int $hour = date("H") [, int $minute = date("i") [, int $second = date("s") [, int $month = date("n") [, int $day = date("j") [, int $year = date("Y") [, int $is_dst = -1 ]]]]]]] )
This function returns the Unix timestamp corresponding to the arguments given. This timestamp is a long integer containing the number of seconds between the Unix Epoch (January 1 1970 00:00:00 GMT) and the time specified. mktime() returns the Unix timestamp of the arguments given. If the arguments are invalid, the function returns FALSE.
Arguments may be left out in order from right to left; any arguments thus omitted will be set to the current value according to the local date and time.
Problem: As of PHP 5.1, when called with no arguments, mktime() throws an E_STRICT notice. Prevention: Use the time() function instead.
Problem: Every call to the mktime() function will generate a E_NOTICE if the time zone is not valid, and/or a E_STRICT or E_WARNING message if using the system settings or the TZ environment variable. Prevention: Be careful how you use the function.
The date() Function
The syntax is:
string date ( string $format [, int $timestamp = time() ] )
The function returns a string formatted according to the given format string using the given integer timestamp or the current time if no timestamp is given. In other words, timestamp is optional and defaults to the value of time(). date() returns a formatted date string. If a non-numeric value is used for timestamp, FALSE is returned and an E_WARNING level error is emitted.
Problem: Every call to a date/time function will generate a E_NOTICE if the time zone is not valid, and/or a E_STRICT or E_WARNING message if using the system settings or the TZ environment variable. Prevention: Be careful how you use the function.
Problem: Normal characters of the formatting string without preceding backlash, expand to give meaning. What if you want that character and you do not want it to expand. Prevention: You can prevent a recognized character in the format string from being expanded by escaping it with a preceding backslash. If the character with a backslash is already a special sequence, you may need to also escape the backslash.
Note that you should escape any other characters (that are not in the formatting list), as any which currently has a special meaning will produce undesirable results, and other characters may be assigned meaning in future PHP versions. When escaping, be sure to use single quotes to prevent characters like \n from becoming newlines.
Week of Year
Week that overlaps two years belongs to year that contains most days of that week. Hence week number for 1st January of a given year can be 53 if week belongs to previous year. date("W​", mktime(0, 0, 0, 12, 8, $year)) always gives correct number of weeks in $year.
That is it for this part of the series.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links