Welcome to WebmasterWorld Guest from 54.226.133.245

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Cleaning all Inputs

     
11:27 pm on Sep 20, 2011 (gmt 0)

Full Member

5+ Year Member

joined:Aug 3, 2010
posts: 243
votes: 0


I'm looking for a secure way of cleaning all inputs on my site. I have a function that works but it's long winded, I'm hoping there's a way of doing for each $_POST.

Here's what I've for at the minute:

function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}


and then after that I use:

$post1 = clean($_POST['post1']);
$post2 = clean($_POST['post2']);
$post3 = clean($_POST['post3']);
$post4 = clean($_POST['post4']);


If there's an easier way to do this I'd love to use it.
4:44 pm on Sept 21, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


For starters, you can modify the $_POST variables directly. No need to store them in new variables, all this does is take up more memory and makes for more programming work.

foreach ($_POST as $key => $value) {
$_POST[$key] = clean($value);
}

The only real down side of that is you'd need to "undo" the alterations if you want to display the post variables on a page afterward. They\'d <- probably look like that. :-) In that case,

$qs = Array();
foreach ($_POST as $key => $value) {
$qs[$key] = clean($value);
}

... and use $qs from that point forward.



A few things about your clean routine: it will **only** work if you've previously opened a mySQL connection (mysql_real_escape_string) and appears to do some basic database cleansing but doesn't really "cleanse" the data for other types of attacks. But it's a good start.
7:51 pm on Sept 21, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 3, 2007
posts:61
votes: 0



To prevent sql injection and xss attacks, you might add something like this:

$str = strip_tags($str);
$str = preg_replace("/[':&#()]/","",$str);

It is probably not a complete list, but it's a start. I'd love to see somebody tell me how to improve it.
10:21 pm on Sept 21, 2011 (gmt 0)

Full Member

5+ Year Member

joined:Aug 3, 2010
posts: 243
votes: 0


You've knocked it on there head there jborder "improve it". That's exactly what I'm looking for. I've read loads of articles but none seem to be conclusive.

Does anybody know of a function pre written that covers all bases?
7:02 am on Sept 22, 2011 (gmt 0)

Full Member

10+ Year Member

joined:July 12, 2002
posts:207
votes: 1


I found this on net: htmlpurifier

I never tried it, so I don't know if it's good or bad. You may try and let us know.
7:35 am on Sept 22, 2011 (gmt 0)

New User

joined:Aug 12, 2011
posts:2
votes: 0


How about something like this? This recursively sanitizes variables. Useful for multi dimensional arrays like for example $_REQUEST, $_POST and $_GET.


// Note:
// A MySQL connection is required before using // mysql_real_escape_string() otherwise an error of level E_WARNING is // generated, and FALSE is returned. If link_identifier isn't defined, // the last MySQL connection is used.
/**
*
* Filters variable to make it safe for insertion into a query.
* Will filter strings and arrays (recursivly).
*
* @param mixed $input
* @param boolean $filterHtml = true Should html and php tags be stripped from the input?
* @return mixed
*/
function sqlescape($input, $filterHtml = true) {
if(!is_array($input)) {
if($filterHtml) {
return mysql_real_escape_string(strip_tags($input));
} else {
return mysql_real_escape_string($input);
}
} else {
foreach($input as $key => $value) {
$input[$key] = sqlescape($value, $filterHtml);
}
return $input;
}
}
8:15 am on Sept 22, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2002
posts:3171
votes: 8


>>Does anybody know of a function pre written that covers all bases?

no, to be really safe you should customise your 'cleaning' functions to suite each input...

if you expect an integer then test for an integer.
if you expect a month in the format 01-12 then test for that.
if you expect a text field with a maximum of 64 characters make sure you also test for a string with maximum length of 64.
ensure you only allow the characters that you want (eg you might want to disallow html for many good reasons)

what rocknbil said is a good shortcut although i always do something like:
$clean_post1 = clean($_POST['post1']);

this way i never accidently use a variable for a database insert that hasn't already been cleaned. (using an array like Oxidiser said also makes sense)

it is more long winded to test the data properly, if you don't you are building up trouble for the future one way or another - even if just from having wrong data inserted into your database fields
4:12 pm on Sept 22, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


^ ^ Precisely, "it depends" on what the input is. "Every user input is a potential hack" and "Accept only what you want and throw everything else away" - Selena Sol