homepage Welcome to WebmasterWorld Guest from 54.205.168.88
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Cleaning all Inputs
LinusIT




msg:4365036
 11:27 pm on Sep 20, 2011 (gmt 0)

I'm looking for a secure way of cleaning all inputs on my site. I have a function that works but it's long winded, I'm hoping there's a way of doing for each $_POST.

Here's what I've for at the minute:

function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}


and then after that I use:

$post1 = clean($_POST['post1']);
$post2 = clean($_POST['post2']);
$post3 = clean($_POST['post3']);
$post4 = clean($_POST['post4']);


If there's an easier way to do this I'd love to use it.

 

rocknbil




msg:4365428
 4:44 pm on Sep 21, 2011 (gmt 0)

For starters, you can modify the $_POST variables directly. No need to store them in new variables, all this does is take up more memory and makes for more programming work.

foreach ($_POST as $key => $value) {
$_POST[$key] = clean($value);
}

The only real down side of that is you'd need to "undo" the alterations if you want to display the post variables on a page afterward. They\'d <- probably look like that. :-) In that case,

$qs = Array();
foreach ($_POST as $key => $value) {
$qs[$key] = clean($value);
}

... and use $qs from that point forward.



A few things about your clean routine: it will **only** work if you've previously opened a mySQL connection (mysql_real_escape_string) and appears to do some basic database cleansing but doesn't really "cleanse" the data for other types of attacks. But it's a good start.

jbroder




msg:4365534
 7:51 pm on Sep 21, 2011 (gmt 0)


To prevent sql injection and xss attacks, you might add something like this:

$str = strip_tags($str);
$str = preg_replace("/[':&#()]/","",$str);

It is probably not a complete list, but it's a start. I'd love to see somebody tell me how to improve it.

LinusIT




msg:4365622
 10:21 pm on Sep 21, 2011 (gmt 0)

You've knocked it on there head there jborder "improve it". That's exactly what I'm looking for. I've read loads of articles but none seem to be conclusive.

Does anybody know of a function pre written that covers all bases?

Dinkar




msg:4365742
 7:02 am on Sep 22, 2011 (gmt 0)

I found this on net: htmlpurifier

I never tried it, so I don't know if it's good or bad. You may try and let us know.

Oxidiser




msg:4365753
 7:35 am on Sep 22, 2011 (gmt 0)

How about something like this? This recursively sanitizes variables. Useful for multi dimensional arrays like for example $_REQUEST, $_POST and $_GET.


// Note:
// A MySQL connection is required before using // mysql_real_escape_string() otherwise an error of level E_WARNING is // generated, and FALSE is returned. If link_identifier isn't defined, // the last MySQL connection is used.
/**
*
* Filters variable to make it safe for insertion into a query.
* Will filter strings and arrays (recursivly).
*
* @param mixed $input
* @param boolean $filterHtml = true Should html and php tags be stripped from the input?
* @return mixed
*/
function sqlescape($input, $filterHtml = true) {
if(!is_array($input)) {
if($filterHtml) {
return mysql_real_escape_string(strip_tags($input));
} else {
return mysql_real_escape_string($input);
}
} else {
foreach($input as $key => $value) {
$input[$key] = sqlescape($value, $filterHtml);
}
return $input;
}
}

topr8




msg:4365759
 8:15 am on Sep 22, 2011 (gmt 0)

>>Does anybody know of a function pre written that covers all bases?

no, to be really safe you should customise your 'cleaning' functions to suite each input...

if you expect an integer then test for an integer.
if you expect a month in the format 01-12 then test for that.
if you expect a text field with a maximum of 64 characters make sure you also test for a string with maximum length of 64.
ensure you only allow the characters that you want (eg you might want to disallow html for many good reasons)

what rocknbil said is a good shortcut although i always do something like:
$clean_post1 = clean($_POST['post1']);

this way i never accidently use a variable for a database insert that hasn't already been cleaned. (using an array like Oxidiser said also makes sense)

it is more long winded to test the data properly, if you don't you are building up trouble for the future one way or another - even if just from having wrong data inserted into your database fields

rocknbil




msg:4365919
 4:12 pm on Sep 22, 2011 (gmt 0)

^ ^ Precisely, "it depends" on what the input is. "Every user input is a potential hack" and "Accept only what you want and throw everything else away" - Selena Sol

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved