Before you start flaming or anything at all, READ THIS!
I have a regular expression verifying the format of a phone number entered in a form is correct.
NOW what I am hoping to find is IF someone knows a way to verify if that number exists...so if the number doesnt exist and the user enters it, user will get an error message phone number does not exist and they will be prompted to enter a WORKINg phone number....
I have looked ALL over the seas of google but could not find a phone number validator not a format checker like regex...
This is my last hope..
In order to check if a phone number really exists (and belongs to the user who's filling your form), I see only one solution : try to communicate with that phone.
What's generally done is sending an SMS with a validation code to the phone number -- and ask the user to type that code once he has received the SMS.
This way, you'll be sure that :
The phone number exists,
And belongs to the current user.
Of course, make sure you put some security measure in place, to prevent anyone from using your form to spam some number :
Make sure one user cannot send more than X SMS per hour/day,
Make sure no more than 2 or 3 SMS can be sent to the same number per day/week
The short answer is no. You would need access to a database containing all the world's phone numbers - a sort of combined affair from the big providers. Having said that you could set up a system whereby you actually phone the number automatically and ask the user to enter a code. This would require a lot of set-up and would cost a fair bit. That is the only way you could do such a thing.
For mobile numbers you could also use SMS and require a reply.
Maybe MaxMind can help you : http://www.maxmind.com/app/telephone_overview
It provides a nice API, but its not free.
Related
I am building a cross-platform app and using PHP and MySQLi. Users sign up with either their Facebook account or phone number. If they choose phone number, they enter their number and an SMS is sent containing the verification code. The user enters the code and an API token is sent back to be used across the API requests. Tinder (for example) is this way.
I am considering Twilio for the verification.
My issue comes down to the security of this login process. Can a malicious user just rapid-fire the login request that creates a verification code over and over again... sending plenty of SMS and costing me a fortune on my Twilio account? Should I only allow so many attempts? Can a bot just eventually guess the code?
What is the security behind Tinder's API?
things to consider:
1- limit request per phone number
2- limit request per user (by ip)
3- use captcha (only after second attempts to keep your app user friendly)
4- use honeypots
"can a bot guess the code?"
verification codes should have a time constraint. after like 2 mins they should be invalid. time constraint and request limiting should make it very very unlikely for a bot to guess the code.
if you are using laravel it already have rate limiting middleware (limit by ip).
Twilio developer evangelist here.
I agree with all the things that Shalior says in their answer, so I'm not going to reiterate that.
What I wanted to share was this article on falsehoods programmers believe about phone numbers. It is a good reminder that phone numbers don't necessarily uniquely define a user, and worth keeping in mind if this is your intention for a passwordless login.
I'm implementing a mobile registration system in PHP where by the user can register with their mobile number. They can also log in with that number and receive SMS notices/verification etc.
Let me explain the system before moving onto the problem as its easier to explain that way.
My current system works like this:
User signs up with 07733333333
Phone number is converted to E164 format and stored as +44773333333
SMS validation is sent
This works great and ensures the user can't sign up twice with the same number. It's also the format our SMS service provider requires.
The way I convert to E164 is using Google's LibPhoneNumber library. It requires a country code to convert the number so I take that from the IP address. The user is able to change the country code if our guess is wrong. On the page after registration they will see a page that says "We've sent an SMS to this number: +44773333333". The user can change this number/country code at this point.
The problem arises when logging in.
If a user logs in with +44773333333 it's easy to grab this from the database. It's already stored in this format.
But, if they log in with 0773333333 I need to make a guess at what region that mobile number is to convert it to E164 format to run the query. There is no way I can query this number in the database because it doesn't exist in that form. I can guess that it's +44 from the IP address but this is unreliable. What if the user is on holiday? Or using a VPN? That guess can't be made.
What is the best way to handle this?
My only thought is to have two fields in the database. One is national_mobile_number and the other is e164_mobile_number. That way I can query either fields to see if the numbers match. I don't know what impact this would have on performance with many users (500,000+).
My problem is this:
I have a survey that is taken by people that they're paid for. I want to avoid the same person submitting the form multiple times. It is a web application.
What I have tried:
I have tried recognizing the IP address from which they try to submit the survey but it hasn't worked.(They could just change devices and so, IP changes) I could try 2FA (where I authenticate using SMS/Voice to phone numbers) but free phone services like Google Voice/Twilio will render that useless. Using a SHA/MD5 hash on a combined key such as phone number and email address still faces the same multiple emails/phone numbers problem. Uber has recently covered up its tracks and devised a way (or a partnership) to recognize Google Voice Numbers. I have gone through the Google Voice API and haven't found a way to find the actual phone number linked to the Voice number.
Is there any full-proof way of doing this?
PS: I am NOT talking about multiple form submissions on a form (say a ecommerce website) which causes multiple charges to a credit card. Please do NOT suggest CAPTCHA.
I am working on an educational website in PHP Condeigniter. The project includes an option where students can sent private messages to tutors and vice versa but they are not allowed to share their contact details with each other, like phone number, skype id, home address, email etc. Is there any way in which I can control this? For example, if a user writes his phone number like 12345677, the algorithm should automatically replace it with xxxxxxxx so that the other user should not be able to view the number..
You can attempt to censor some of the text patterns with regular expressions but don't expect to get 100% of them. I don't think you can reliably censor things like skype IDs and addresses.
Also note that if they'll really want to share contact information they are going to find a way to get around your filters.
I am using the Esendex Rest API http://developers.esendex.com/APIs/REST-API/inbox and I am trying to get all the messages in the inbox from a particular phone number.
This is basically so if I do a send out of SMS's and someone replies I am able to retrieve the reply.
I can currently get all the messages in the inbox into an array and sort them, but this is too slow with over 4000 messages.
Does anyone know if I can filter by phone number, or at least date-received in my API requests? Even if I could get the last weeks worth of SMS's.
You can try to use the conversation API if you want to filter by a phone number. The drawback is that you can get only the latest 15 messages, also that there is no reliable way to detect if a reply has been received from a phone number other than the inbox API. Apart from this I wasn't able to find anything that can help you. Their API is very restrictive and minimal.
There's currently no way to do this via the REST API but I'll see if we can add it over the next couple of weeks (I work for Esendex). As you note the functionality already exists in the Conversations API albeit in a more minimal form.
In the meantime you could achieve this by checking all messages that arrive either by polling the Inbox or using Push Notifications.