Data Sanitization

[Kilroy]

I like to use this:

PHP Code:

class Parse {     
        
    /* Cleans input to the db */
    function cleanInput($text) 
    {
        /* Make text safe for MySQL */
        $text = mysql_escape_string($text);

        /* Remove excess spaces */
        $text = trim($text);
        
        /* Strip disallowed HTML tags from the input */
        $allowedtags = '<h1><h2><h3><b><strong><i><em><a><ul><li><pre><hr><br><blockquote><img>';
        $text = strip_tags($text, $allowedtags);

        return $text;
    }
    
    /* Cleans output from the db */
    function cleanOutput($text)
    {
        /* Convert new lines to <br />'s */
        $text = nl2br($text);

        return $text;
    }
} 


and to fix the problem with magic_quotes_gpc, this:

PHP Code:

/* Fixes the problem of too many slashes when magic_quotes_gpc is ON */
    function fix_magic_quotes_gpc()
    {
        if(get_magic_quotes_gpc()){
            $POST = stripslashes($POST);
            $GET = stripslashes($GET);
        }
    } 


[frezno]

who runs with register globals enabled anymore anyway?

e.g. all those poor individuals who use osCommerce

I would never host on a server with register globals enabled...

hmmm, does this really matter if you use Superglobals?

[frezno]

I like to use this:

take a look at the function provided in this thread

[Kilroy]

frezno, what's the difference between that and my code?

[frezno]

hardly any, Kilroy. Just mentioned it because it's funny we came up with about the same stuff.
Although with the function i provided the allowed tags can be put in dynamically and are not hard coded.
That might be useful, depending when and where you want to use this function,
eg. in a contact form i don't want to see any tags allowed, whereas in a forum it's a must.

[Kilroy]

Ok, I was wondering about that

Yes, I understand that it's better to do it your way and I will probably change it though, it was only a function which I thought of in 5 minutes, lol

[marcele]

Saw this in zends code archive... any thoughts people?
I'm not sure how much CPU this would take...

PHP Code:

  <?
  
  ####################################################################
  #  PHP  CGI-Filter, can be used with $_COOKIE, $_POST, $_GET, etc...
  #  Date    : 11/05/2003
  #  Version : 0.9
  #  Author  : Cameron Jacobson 
  #  Please send word of any benchmarks produced, best order for the 'alphabet' string, etc...
  
  #  Installation:  Include the following line at the top of your script
  #     include 'filename.php';   where filename is the name of this file
  
  #  Instructions:
  #  Define the characters you will allow in your PHP apps in the
  #  $alphabet variable...
  #  AND, add variables accordingly if you want to filter
  #  $_COOKIE, $_FILES, $_SESSION variables, etc...
  
  #  NOTE:  In order for this filter to be useful, you should not have
  #         REGISTER_GLOBALS on, or should at least not program
  #         your scripts as though it were on
  
  #  LICENSE  :  To use this piece of software you must agree with
  #              the terms and conditions of the GNU GPL.
  
  ####################################################################
  
         $alphabet="\r\n abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890<>=/._";
  
  
  $post=$_POST;
  $get=$_GET;
  $postcount=count($post) -1;
  $getcount=count($get) -1;
  $getkeys=array_keys($get);
  $postkeys=array_keys($post);
  
  while($getcount>0) {
  $key=$getkeys[$getcount];
  $variable=$get[$key];
  
          $variable=$variable1=trim(strtolower($variable));
          $vnum=0;
  
  
          while($variable2=$variable1[$vnum]) {
              if(!strstr($alphabet,$variable2) || $variable2=="\"") {
              $variable=str_replace($variable2,'',$variable);
                          }
                  $vnum=$vnum+1;
                  }
      $_GET[$key]=$variable;
      $getcount=$getcount-1;
      }
  
  while($postcount>0) {
  
  $key=$postkeys[$postcount];
  $variable=$post[$key];
          $variable=$variable1=trim(strtolower($variable));
          $vnum=0;
  
  
          while($variable2=$variable1[$vnum]) {
              if(!strstr($alphabet,$variable2) || $variable2=="\"") {
                      $variable=str_replace($variable2,'',$variable);
                          }
                  $vnum=$vnum+1;
                  }
      $_POST[$key]=$variable;
          $postcount=$postcount-1;
          }
  ?>

[Radley]

I like to use this:
and to fix the problem with magic_quotes_gpc, this:

PHP Code:

/* Fixes the problem of too many slashes when magic_quotes_gpc is ON */
    function fix_magic_quotes_gpc()
    {
        if(get_magic_quotes_gpc()){
            $POST = stripslashes($POST);
            $GET = stripslashes($GET);
        }
    } 


This is what I use:

PHP Code:


function stripMagicQuotes(&$array) {
    if (!get_magic_quotes_gpc()) return;
    while(list($key) = each($array)) {
        if (is_array($array[$key])) {
            stripMagicQuotes($array[$key]);
        } else {
            $array[$key] = stripslashes($array[$key]);
        }
    }
    return true;
}

stripMagicQuotes($_GET);
stripMagicQuotes($_POST);
stripMagicQuotes($_COOKIE); 


It's recursive, so if you have an array, each element will get fixed.

The fastest and most effecient way of doing it would be to simply have a replacement for addslashes:

PHP Code:

function safeslashes($str) {
    if (get_magic_qoutes_gpc()) {
        return $str;
    } else {
        return addslashes($str);
    }
} 


The problem that occurs with this is that if you want to use a different method of adding slashes, such as mysql_quote(), it gets a whole lot more complicated fast. Stripping them out right away is the best option, in my humble opinion.

[Kilroy]

I like that one! It looks really good... will probably use it myself from now on

[Kilroy]

I found this to be even better:

PHP Code:

function _fixMagicQuotes(&$item, $key)
{
    if (is_array($item)) {
        array_walk($item, '_fixMagicQuotes');
    } else {
        $item = stripslashes($item);
    }
}

function fixMagicQuotes() {
    static $fixed = false;
    if (!$fixed && get_magic_quotes_gpc()) {
        array_walk($_GET, '_fixMagicQuotes');
        array_walk($_POST, '_fixMagicQuotes');
        array_walk($_COOKIE, '_fixMagicQuotes');
        array_walk($_REQUEST, '_fixMagicQuotes');
        $fixed = true;
    }
} 


[Hal9k]

If anyone is reading this post and wants "The War Against Magic Quotes" article I have a google cached shot here:

http://66.102.11.104/search?q=cache:...c+quotes&hl=en

The main Pink Goblin site doesn't work (connection refused, timings out) for me, and other mirrors of the article seem to leave out the php code featured.

[Smurfs Are Tasty]

I Agree.

[aopchuck]

I call this “Sledgehammer Data Sanitizing.”

I use it on a form where I collect text – no email addresses or URL’s – just text. So it will not be useful for forms with those elements, but it sure lets this newbie sleep better at night. It eliminates all characters that are not alpha-numeric, and replaces multiple spaces with a single space. It ain’t pretty, but it’s bulletproof for entering data in a MySQL table or URL post, and it’s as simple as I am. Enjoy:

PHP Code:


$value  = preg_replace('/[^a-zA-Z0-9]/'," ",trim($value));
$value = preg_replace('/\s+/', ' ',  $value); 


[dagfinn]

PHP Code:


$value  = preg_replace('/[^a-zA-Z0-9]/'," ",trim($value)); 


The expression is almost equivalent to /\W/, except that would allow underscores. So /[\W_]/ or /\W|_/ should have exactly the same effect. But I guess replacing underscore characters isn't necessary.