Building the Domain Name Availability class

For the sake of this article, let’s call this class “whois”.

class whois {

}

One of the first things we are going to add to our class is a list of the common TLD, which will include which whois server to use for each domain, and the associated text to search for if a domain is available or not. The array is named “$ext” which is short for extensions.

public $ext = array(
'.com' => array('whois.crsnic.net','No match for'),
'.net' => array('whois.crsnic.net','No match for'),
'.org' => array('whois.publicinterestregistry.net','NOT FOUND'),
'.us' => array('whois.nic.us','Not Found'),
'.biz' => array('whois.biz','Not found'),
'.info' => array('whois.afilias.net','NOT FOUND'),
'.eu' => array('whois.eurid.eu','FREE'),
'.mobi' => array('whois.dotmobiregistry.net', 'NOT FOUND'),
'.tv' => array('whois.nic.tv', 'No match for'),
'.in' => array('whois.inregistry.net', 'NOT FOUND'),
'.co.uk' => array('whois.nic.uk','No match'),
'.co.ug' => array('wawa.eahd.or.ug','No entries found'),
'.or.ug' => array('wawa.eahd.or.ug','No entries found'),
'.sg' => array('whois.nic.net.sg','NOMATCH'),
'.com.sg' => array('whois.nic.net.sg','NOMATCH'),
'.per.sg' => array('whois.nic.net.sg','NOMATCH'),
'.org.sg' => array('whois.nic.net.sg','NOMATCH'),
'.com.my' => array('whois.mynic.net.my','does not Exist in database'),
'.net.my' => array('whois.mynic.net.my','does not Exist in database'),
'.org.my' => array('whois.mynic.net.my','does not Exist in database'),
'.edu.my' => array('whois.mynic.net.my','does not Exist in database'),
'.my' => array('whois.mynic.net.my','does not Exist in database'),
'.nl' => array('whois.domain-registry.nl','not a registered domain'),
'.ro' => array('whois.rotld.ro','No entries found for the selected'),
'.com.au' => array('whois.ausregistry.net.au','No data Found'),
'.ca' => array('whois.cira.ca', 'AVAIL'),
'.org.uk' => array('whois.nic.uk','No match'),
'.name' => array('whois.nic.name','No match'),
'.ac.ug' => array('wawa.eahd.or.ug','No entries found'),
'.ne.ug' => array('wawa.eahd.or.ug','No entries found'),
'.sc.ug' => array('wawa.eahd.or.ug','No entries found'),
'.ws' => array('whois.website.ws','No Match'),
'.be' => array('whois.ripe.net','No entries'),
'.com.cn' => array('whois.cnnic.cn','no matching record'),
'.net.cn' => array('whois.cnnic.cn','no matching record'),
'.org.cn' => array('whois.cnnic.cn','no matching record'),
'.no' => array('whois.norid.no','no matches'),
'.se' => array('whois.nic-se.se','No data found'),
'.nu' => array('whois.nic.nu','NO MATCH for'),
'.com.tw' => array('whois.twnic.net','No such Domain Name'),
'.net.tw' => array('whois.twnic.net','No such Domain Name'),
'.org.tw' => array('whois.twnic.net','No such Domain Name'),
'.cc' => array('whois.nic.cc','No match'),
'.nl' => array('whois.domain-registry.nl','is free'),
'.pl' => array('whois.dns.pl','No information about'),
'.pt' => array('whois.dns.pt','No match')
);

We will also define our error variable that we will be using in this class.

public $error;

Building the Methods

Now that we have our class ready to go, and our list of domain name extensions and associated WHOIS servers, lets build the function to use this information to perform the domain name lookup.

function available($domain){
$domain = trim($domain);
if (eregi('^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?$',$domain) != 1){
$error = 'Invalid domain (Letters, numbers and hypens only) ('.$domain.')';
return false;
}
preg_match('@^(http://www\.|http://|www\.)?([^/]+)@i', $domain, $preg_metch_result);
$f_result = '';
$domain = $preg_metch_result[2];
$domain_name_array = explode('.', $domain);
$domain_domain = strtolower(trim($domain_name_array[count($domain_name_array)-1]));
$ext_in_list = false;

if (array_key_exists('.'.$domain_domain, $this->ext)){
$ext_in_list = true;
}

if(strlen($domain) > 0 && $ext_in_list){
$server = '';

$server = $this->ext['.' .$domain_domain][0];
$lookup_result = gethostbyname($server);

if ($lookup_result == $server){
$error = 'Error: Invalid extension - '.$domain_domain.'. / server has outgoing connections blocked to '.$server.'.';
return false;
}

$fs = fsockopen($server, 43,$errno,$errstr,10);
if (!$fs || ($errstr != "")){
$error = 'Error: ('.$server.') '.$errstr.' ('.$errno.')';
return false;
}

fputs($fs, "$domain\r\n");
while( !feof($fs) ) {
$f_result .= fgets($fs,128);
}

fclose($fs);

if($domain_domain == 'org'){
nl2br($f_result);
}

if(eregi($this->ext['.'.$domain_domain][1], $f_result)){
return true;
} else {
return false;
}

} else {
$error = 'Invalid Domain and/or TLD server entry does not exist';
}
return false;
}

Going through the method

I will explain each piece of this method in case you would like to know exactly what is going on.

  $domain = trim($domain);
if (eregi('^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?$',$domain) != 1){
$error = 'Invalid domain (Letters, numbers and hypens only) ('.$domain.')';
return false;
}

Here we are trimming excess whitespace from the domain, and checking to make sure that it conforms to standards. (Checking if the domain is in a valid format). If it is invalid, we give an error, and return false.

  preg_match('@^(http://www\.|http://|www\.)?([^/]+)@i', $domain, $preg_metch_result);
$f_result = '';
$domain = $preg_metch_result[2];
$domain_name_array = explode('.', $domain);
$domain_domain = strtolower(trim($domain_name_array[count($domain_name_array)-1]));
$ext_in_list = false;

if (array_key_exists('.'.$domain_domain, $this->ext)){
$ext_in_list = true;
}

In this block of code, we are splitting the domain name into it’s respective parts (domain, extension) and checking to see that the extension (TLD) is in the list that we defined earlier. We set a variable “$ext_in_list” to true if it is.

  if(strlen($domain) > 0 && $ext_in_list){

We make sure that the extension is in the list, and the domain is at least 1 character long.

  $server = '';
$server = $this->ext['.' .$domain_domain][0];
$lookup_result = gethostbyname($server);

if ($lookup_result == $server){
$error = 'Error: Invalid extension - '.$domain_domain.'. / server has outgoing connections blocked to '.$server.'.';
return false;
}

In this block of code, we get the corresponding WHOIS server from our predefined list, and get the IP address associated with that server. If the result of the IP lookup is false, we assume that the server is blocking our connection or that the extension is invalid. If not, we assume the lookup was successful and valid.

  $fs = fsockopen($server, 43,$errno,$errstr,10);
if (!$fs || ($errstr != "")){
$error = 'Error: ('.$server.') '.$errstr.' ('.$errno.')';
return false;
}

fputs($fs, "$domain\r\n");
while( !feof($fs) ) {
$f_result .= fgets($fs,128);
}

fclose($fs);

if($domain_domain == 'org'){
nl2br($f_result);
}

Here we open a new socket connection on port 43. If the connection fails, we handle the error, and return the method false. If it succeeds, we continue to retrieve result from the socket connection. Once the result is retrieve, we close the connection, and preform some formatting on the results should the domain name be a “.org”.

  if(eregi($this->ext['.'.$domain_domain][1], $f_result)){
return true;
} else {
return false;
}

} else {
$error = 'Invalid Domain and/or TLD server entry does not exist';
}
return false;
}

The last block of code will check our extension array defined earlier to see if the result matches the text provided for that specified extension. If the there is a match, we return true, otherwise, we return false.

Putting it all together

Now that we know how the class and method works, lets put it all together, and give an example on how to use it in your script.

class whois {

public $ext = array(
'.com' => array('whois.crsnic.net','No match for'),
'.net' => array('whois.crsnic.net','No match for'),
'.org' => array('whois.publicinterestregistry.net','NOT FOUND'),
'.us' => array('whois.nic.us','Not Found'),
'.biz' => array('whois.biz','Not found'),
'.info' => array('whois.afilias.net','NOT FOUND'),
'.eu' => array('whois.eurid.eu','FREE'),
'.mobi' => array('whois.dotmobiregistry.net', 'NOT FOUND'),
'.tv' => array('whois.nic.tv', 'No match for'),
'.in' => array('whois.inregistry.net', 'NOT FOUND'),
'.co.uk' => array('whois.nic.uk','No match'),
'.co.ug' => array('wawa.eahd.or.ug','No entries found'),
'.or.ug' => array('wawa.eahd.or.ug','No entries found'),
'.sg' => array('whois.nic.net.sg','NOMATCH'),
'.com.sg' => array('whois.nic.net.sg','NOMATCH'),
'.per.sg' => array('whois.nic.net.sg','NOMATCH'),
'.org.sg' => array('whois.nic.net.sg','NOMATCH'),
'.com.my' => array('whois.mynic.net.my','does not Exist in database'),
'.net.my' => array('whois.mynic.net.my','does not Exist in database'),
'.org.my' => array('whois.mynic.net.my','does not Exist in database'),
'.edu.my' => array('whois.mynic.net.my','does not Exist in database'),
'.my' => array('whois.mynic.net.my','does not Exist in database'),
'.nl' => array('whois.domain-registry.nl','not a registered domain'),
'.ro' => array('whois.rotld.ro','No entries found for the selected'),
'.com.au' => array('whois.ausregistry.net.au','No data Found'),
'.ca' => array('whois.cira.ca', 'AVAIL'),
'.org.uk' => array('whois.nic.uk','No match'),
'.name' => array('whois.nic.name','No match'),
'.ac.ug' => array('wawa.eahd.or.ug','No entries found'),
'.ne.ug' => array('wawa.eahd.or.ug','No entries found'),
'.sc.ug' => array('wawa.eahd.or.ug','No entries found'),
'.ws' => array('whois.website.ws','No Match'),
'.be' => array('whois.ripe.net','No entries'),
'.com.cn' => array('whois.cnnic.cn','no matching record'),
'.net.cn' => array('whois.cnnic.cn','no matching record'),
'.org.cn' => array('whois.cnnic.cn','no matching record'),
'.no' => array('whois.norid.no','no matches'),
'.se' => array('whois.nic-se.se','No data found'),
'.nu' => array('whois.nic.nu','NO MATCH for'),
'.com.tw' => array('whois.twnic.net','No such Domain Name'),
'.net.tw' => array('whois.twnic.net','No such Domain Name'),
'.org.tw' => array('whois.twnic.net','No such Domain Name'),
'.cc' => array('whois.nic.cc','No match'),
'.nl' => array('whois.domain-registry.nl','is free'),
'.pl' => array('whois.dns.pl','No information about'),
'.pt' => array('whois.dns.pt','No match')
);

public $error;

function available($domain){
$domain = trim($domain);
if (eregi('^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?$',$domain) != 1){
$error = 'Invalid domain (Letters, numbers and hypens only) ('.$domain.')';
return false;
}
preg_match('@^(http://www\.|http://|www\.)?([^/]+)@i', $domain, $preg_metch_result);
$f_result = '';
$domain = $preg_metch_result[2];
$domain_name_array = explode('.', $domain);
$domain_domain = strtolower(trim($domain_name_array[count($domain_name_array)-1]));
$ext_in_list = false;

if (array_key_exists('.'.$domain_domain, $this->ext)){
$ext_in_list = true;
}

if(strlen($domain) > 0 && $ext_in_list){
$server = '';
$server = $this->ext['.' .$domain_domain][0];
$lookup_result = gethostbyname($server);

if ($lookup_result == $server){
$error = 'Error: Invalid extension - '.$domain_domain.'. / server has outgoing connections blocked to '.$server.'.';
return false;
}

$fs = fsockopen($server, 43,$errno,$errstr,10);

if (!$fs || ($errstr != "")){
$error = 'Error: ('.$server.') '.$errstr.' ('.$errno.')';
return false;
}

fputs($fs, "$domain\r\n");
while( !feof($fs) ) {
$f_result .= fgets($fs,128);
}

fclose($fs);

if($domain_domain == 'org'){
nl2br($f_result);
}

if(eregi($this->ext['.'.$domain_domain][1], $f_result)){
return true;
} else {
return false;
}

} else {
$error = 'Invalid Domain and/or TLD server entry does not exist';
}
return false;
}

}

Using the Domain Availability class

The use of this class is very straight forward. We first initialize a new instance of our WHOIS class, and then pass the domain name through our availability method.

$domain = 'soaptray.com';

$whois = new whois;
$result = $whois->available($domain);

switch($result){
case true: echo 'Domain is available'; break;
case false: echo 'Domain is already registered'; break;
}

There you have it! Let me know if you find a good use for this class in one of your projects! Good luck and happy coding.

Download this class

The working PHP file for this article can be downloaded here.

What is XSS or Cross-site Scripting?

XSS is a method in which malicious users can inject client side scripts into web applications to gain information, bypass user authentication controls and other such things. This is a vulnerability that I see too often because people are trusting user input data - this is something that can be easily avoided using some simple filtering steps.

Filtering incoming data

There are many aspects of filtering - or sanitizing - that you must consider when accepting user generated input (think forms, profiles, contact us). For the purpose of this article, I will be placing the individual filters as methods of a class, that is loaded only when we need to deal with filtering data. This method of doing things is efficient, and uses OOP or Object Oriented Programming techniques (another article on that one later!).

Building the filter class

I have chosen to use a custom filter class, rather then available extensions, simply because I like to tune each class for the project I am working with - this reduces the amount of code that is being loaded and used.

Using a class may be new to some programmers, but let me assure you that it is well worth it in the end for a number of reasons (mainly scalability, code re-use and ease of changes/updates). A class is comprised of many different methods (which act very similar to functions). I will write another article on classes, but for some more information on the basics of classes, you can take a look at the php.net introduction to classes and objects.

First, let’s start by building a basic class as an include that we will load when needed. Let’s name this file [ class-filter.php ]

class-filter.php

<?php

class filter {

}

?>

Now that we have our class defined, let’s add some methods (functions) to it to filter various types of information.

class-filter.php (continued)

<?php

class filter {

	// Removes all whitespace from a string, including whitespace that isn't trailing or leading
	public function whitespace($str){
		retrun preg_replace('/\s\s+/',' ', $str);
	}

	// Removes characters not valid in an e-mail address
	public function email($email){
		return strtolower(preg_replace('/[^a-z0-9+_.@-]/i','',$email));
	}

	// Removes tags, whitespace
	public function text($str){
		// Ensure it's a string
		$str = strval($str);
		// We strip all html tags
		$str = strip_tags($str);
		// Remove any whitespace using
		// the define method above
		$str = $this->whitespace($str);
		return $str;
	}

}

?>

This list can go on for a while, and get quite specific depending on what type of information you wish to filter. I use a much more complicated version in many of my projects that include e-mail validation, verification and more (I would be happy to share some of these with anyone interested - just drop me a comment).

I encourage you all to add project specific methods (functions) to your filter class.

Now that we have our filter class ready, let’s open up our main project file [ index.php ] and include our class file, then initiate the class into an object that we can use to filter data.

index.php

<?php

// We first include our class
include 'class-filter.php';

// And then we initiate the class (filter) as an object ($filter)
$filter = new filter();

?>

That’s it, we are now ready to start filtering data! Let’s say that we have a form posting to [ index.php ] with several different user values - take a look at the blow example to show you how to filter them.

index.php (continued)

<?php

// We first include our class
include 'class-filter.php';

// And then we initiate the class (filter) as an object ($filter)
$filter = new filter();

// Let's say they are posting the following from a form:
// $_POST['name'] = 'Regan Johnson<? die("Muahaha"); ?>';
// $_POST['age'] = "23.554";
// $_POST['email'] = 'random spaces %%+symbols@ domain.com';

$name = $filter->text($_POST['name']);
$age = intval($_POST['age']);
$email = $filter->email($_POST['email']);

echo "Hello, my name is $name.";
echo "I am $age years old.";
echo "My e-mail address is $email.";

// Hello, my name is Regan Johnson.
// I am 23 years old.
// My e-mail address is randomspaces+symbols@domain.com.

?>

From the above example, you can see that the data is filtered from potentially malicious scripts (XSS) breaking data to harmless data that is expected by (and works with) your program.

Now that the data is not harmful, the next step is to check for errors. An example of error checking for an e-mail address can be seen in my previous article,
Validate e-mail addresses using PHP and DNS.

Finally, you will want to enter the data into your database, or use it as you would like in your web application. I will be completing an article soon on MySQL security, and simple ways to prevent what is known as a MySQL Injection Attack - I will link it here when it’s finished.

Thanks for reading my article about filtering forms and incoming data in PHP. I would love to hear some methods that you use in your filtering process - please leave a comment below. As always, if you enjoy my articles please subscribe to my RSS Feed.

When building new scripts or applications, I am always looking for new ways to increase security and the quality of my user generated content (such as member profiles, posts, comments, etc). There is nothing more frustrating than having an excellent web application that is littered with spam.

The process I use to determine if an e-mail address is legitimate

There are a few steps in the process that I use to validate an e-mail address which, together, are built for speed and accuracy. I encourage you to decide which steps you would like to use in your script, as they can also be used separate from each other.

Before we get started, I wanted to note that these functions are not intended to be comprehensive, as we are only checking the domain for MX records, and not the individual e-mail on that domain (which is a bit more complicated then the intentions of this tutorial). With that being said these functions will help narrow down the verification process significantly!

Filter improperly formatted e-mail addresses

This step is a good, quick brush to make sure that the e-mail address is in the proper format. I recommend including this step at a minimum - using PHP’s built in RegEx function, preg_match.

The function

function verify_email($email){

    if(!preg_match('/^[_A-z0-9-]+((\.|\+)[_A-z0-9-]+)*@[A-z0-9-]+(\.[A-z0-9-]+)*(\.[A-z]{2,4})$/',$email)){
        return false;
    } else {
        return $email;
    }
}

Because this article is not about regular expression, I am only going to provide a brief explanation about what’s going on here. Basically, you would call this function (example below) passing in an e-mail address whose format you wish to validate. The regular expression checks that the proper parts of an e-mail address are in the correct places, contain the correct characters, and are the correct lengths - if the e-mail is not formatted correctly, it will return false.

How to use it

$email = 'test@domain.com';

if(verify_email($email)){
    echo 'Success - E-mail address appears to be valid';
} else {
    echo 'Error - E-mail address appears to be invalid';
}

// sdasda@asdasd.com - true
// asdasd$%@.faa.ca.ds - false

While this function will flag some blatant examples of spam, you will notice that some pretty spammy looking e-mails will make it past this step which isn’t all that great But don’t worry, we actually test the domain in the following step.

Check the DNS of the e-mail’s domain to make sure it has a proper MX Record

For those of you who don’t know, and MX Record is a piece of data on a domain name that tells other computers and servers what to do when someone sends an e-mail address to that domain. By checking to see if an MX Record exists using PHP, we are taking the e-mail verification one step farther - a check that the domain actually exists and it’s able to host e-mail boxes. We will accomplish this using another one of PHP’s built in functions, checkdnsrr.

The function

function verify_email_dns($email){

    // This will split the email into its front
    // and back (the domain) portions
    list($name, $domain) = split('@',$email);

    if(!checkdnsrr($domain,'MX')){

        // No MX record found
        return false;

    } else {

        // MX record found, return email
        return $email;

    }
}

When using this function, PHP will send a call to the domain of the e-mail address you are attempting to validate, and check its MX records. If they are present and valid, it will return true, otherwise it will return false - simple as that!

How to use it

$email = 'test@domain.com';

if(verify_email_dns($email)){
    echo 'Success - E-mail has a valid MX record';
} else {
    echo 'Error - E-mail does not have an MX record';
}

// omg@omgomgomgeh.com - false
// steve@apple.com - true

Putting it all together

Now that we have our functions, and some working examples, let’s put it all together to be one badass e-mail validation function.

Example

$email = 'test@domain.com';

if(verify_email($email)){

    // E-mail address looks to be in the proper format
    // lets check the MX records

    if(verify_email_dns($email)){

        // E-mail passed both checks
        echo 'Success - E-mail address appears to be valid.';

    } else {

        // E-mail is invalid, no MC record
        echo 'Error - E-mail domain does not have an MX record.';

    }

} else {

    // E-mail inst formatted correctly
    // so we don't even check its MX record
    echo 'Error - E-mail address appears to be invalid.';

}

// Our function to filter our bogus formatted addresses
function verify_email($email){

    if(!preg_match('/^[_A-z0-9-]+((\.|\+)[_A-z0-9-]+)*@[A-z0-9-]+(\.[A-z0-9-]+)*(\.[A-z]{2,4})$/',$email)){
        return false;
    } else {
        return $email;
    }
}

// Our function to verify the MX records
function verify_email_dns($email){

    // This will split the email into its front
    // and back (the domain) portions
    list($name, $domain) = split('@',$email);

    if(!checkdnsrr($domain,'MX')){

        // No MX record found
        return false;

    } else {

        // MX record found, return email
        return $email;

    }
}

There you have it folks! A nifty little function to help keep your user base clean, and spam free! It’s important to note that the lookup of a domain names MX Record in this manner is currently only supported on Unix based systems - Sorry Windows.

Extend it into your own projects

This post is a start to integrating and building these functions into your own projects. For example, On some personal projects, I have taken these functions even farther. Because the MX Record checks takes a second or two to complete, I developed a system to cache results that come back as positive in a database for quick access of common domain names.

Have fun experimenting! As always, if you have any questions, I would love to hear them, and will do my best to help you out!

Update

I changed the verify_email() function above to use preg_match instead of eregi for the regular expression. This method is much faster. Someone pointed out to me that the regex was not updated for allowing “+” within the address, something that is starting to catch on. I have made the changes, and tested things out. Thanks for pointing this out to me.

Let me introduce myself, so that we are no longer strangers.

My name is Regan Johnson - a 22 year old bloke from Calgary, Alberta, Canada - it’s nice to meet you! I’m a creative web developer with a savvy blend of skills within my profession - a mix which is unique - programming, design & marketing.

My mentor taught me much of what I know today, and I owe many of my successes in this industry to him. Because of his selflessness, and the effect it has had on me, I feel compelled to share what I know with others in hopes of returning the favor. If your interested, learn more about me.

I bet a lot of you are wondering what a crazy name like “soaptray” means.

The name is something catchy, unique, and easy to brand. Soaptray Inc. is the name of my creative design studio here in Calgary. I have a handful of excellent clients, and I love my job (if you can even call it that). Soaptray is also a place to share and organize my ideas. Since you are reading this post, I don’t think it needs any more introduction.

Thanks for checking out my new home on the net, and I look forward to meeting some great people along the way. Why not introduce yourself and leave me a comment below?