I remember in some intro-level compsci class learning that credit card numbers were checksummed, and writing basic functions to validate those checksums as an exercize. I was young and was still using my “starter” credit card with a whopping limit of $500, so that was all news to me.
Alex‘s company had a problem processing credit cards: they rejected a lot of credit cards as being invalid. The checksum code seemed to be working fine, so what could the problem be? Well, the problem became more obvious when someone’s card worked one day, and stopped working the very next day, and they just so happened to be the first and last day of the month.
protected function validateExpirationCcDate($i_year, $i_month) {
return (((int)strftime('%y') $i_year) && ((int)strftime ('%m') $i_month))? true : false;
}
This function is horrible; because it uses strftime (instead of taking the comparison date and time as a parameter) it’s not unit-testable. We’re (ab)using casts to convert strings into integers so we can do our comparison. We’re using a ternary to return a boolean value instead of just returning the result of the boolean expression.
But of course, that’s all the amuse bouche: the main course is the complete misunderstanding of basic logic. According to this code, a credit card is valid if the expiration year is less than or equal to the current year and the month is less than or equal to the current month. As this article goes live in March, 2025, this code would allow credit cards from April, 2026, as it should. But it would reject any cards with an expiration of February, 2028.
Per Alex, “This is a credit card date validation that has been in use for ages.”