SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 39 of 39
  1. #26
    If it aint Dutch it aint much Kilroy's Avatar
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I like to use this:

    PHP Code:
    class Parse {     
            
        
    /* Cleans input to the db */
        
    function cleanInput($text
        {
            
    /* Make text safe for MySQL */
            
    $text mysql_escape_string($text);

            
    /* Remove excess spaces */
            
    $text trim($text);
            
            
    /* Strip disallowed HTML tags from the input */
            
    $allowedtags '<h1><h2><h3><b><strong><i><em><a><ul><li><pre><hr><br><blockquote><img>';
            
    $text strip_tags($text$allowedtags);

            return 
    $text;
        }
        
        
    /* Cleans output from the db */
        
    function cleanOutput($text)
        {
            
    /* Convert new lines to <br />'s */
            
    $text nl2br($text);

            return 
    $text;
        }

    and to fix the problem with magic_quotes_gpc, this:

    PHP Code:
    /* Fixes the problem of too many slashes when magic_quotes_gpc is ON */
        
    function fix_magic_quotes_gpc()
        {
            if(
    get_magic_quotes_gpc()){
                
    $POST stripslashes($POST);
                
    $GET stripslashes($GET);
            }
        } 

  2. #27
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by marcele
    who runs with register globals enabled anymore anyway?
    e.g. all those poor individuals who use osCommerce

    Quote Originally Posted by marcele
    I would never host on a server with register globals enabled...
    hmmm, does this really matter if you use Superglobals?
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.

  3. #28
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kilroy
    I like to use this:
    take a look at the function provided in this thread
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.

  4. #29
    If it aint Dutch it aint much Kilroy's Avatar
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    frezno, what's the difference between that and my code?

  5. #30
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hardly any, Kilroy. Just mentioned it because it's funny we came up with about the same stuff.
    Although with the function i provided the allowed tags can be put in dynamically and are not hard coded.
    That might be useful, depending when and where you want to use this function,
    eg. in a contact form i don't want to see any tags allowed, whereas in a forum it's a must.
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.

  6. #31
    If it aint Dutch it aint much Kilroy's Avatar
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, I was wondering about that

    Yes, I understand that it's better to do it your way and I will probably change it though, it was only a function which I thought of in 5 minutes, lol

  7. #32
    SitePoint Enthusiast marcele's Avatar
    Join Date
    May 2004
    Location
    Edmonton
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    For the security paranoid!! Only allow characters you specify!!

    Saw this in zends code archive... any thoughts people?
    I'm not sure how much CPU this would take...
    PHP Code:
      <?
      
      
    ####################################################################
      #  PHP  CGI-Filter, can be used with $_COOKIE, $_POST, $_GET, etc...
      #  Date    : 11/05/2003
      #  Version : 0.9
      #  Author  : Cameron Jacobson 
      #  Please send word of any benchmarks produced, best order for the 'alphabet' string, etc...
      
      #  Installation:  Include the following line at the top of your script
      #     include 'filename.php';   where filename is the name of this file
      
      #  Instructions:
      #  Define the characters you will allow in your PHP apps in the
      #  $alphabet variable...
      #  AND, add variables accordingly if you want to filter
      #  $_COOKIE, $_FILES, $_SESSION variables, etc...
      
      #  NOTE:  In order for this filter to be useful, you should not have
      #         REGISTER_GLOBALS on, or should at least not program
      #         your scripts as though it were on
      
      #  LICENSE  :  To use this piece of software you must agree with
      #              the terms and conditions of the GNU GPL.
      
      ####################################################################
      
             
    $alphabet="\r\n abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890<>=/._";
      
      
      
    $post=$_POST;
      
    $get=$_GET;
      
    $postcount=count($post) -1;
      
    $getcount=count($get) -1;
      
    $getkeys=array_keys($get);
      
    $postkeys=array_keys($post);
      
      while(
    $getcount>0) {
      
    $key=$getkeys[$getcount];
      
    $variable=$get[$key];
      
              
    $variable=$variable1=trim(strtolower($variable));
              
    $vnum=0;
      
      
              while(
    $variable2=$variable1[$vnum]) {
                  if(!
    strstr($alphabet,$variable2) || $variable2=="\"") {
                  
    $variable=str_replace($variable2,'',$variable);
                              }
                      
    $vnum=$vnum+1;
                      }
          
    $_GET[$key]=$variable;
          
    $getcount=$getcount-1;
          }
      
      while(
    $postcount>0) {
      
      
    $key=$postkeys[$postcount];
      
    $variable=$post[$key];
              
    $variable=$variable1=trim(strtolower($variable));
              
    $vnum=0;
      
      
              while(
    $variable2=$variable1[$vnum]) {
                  if(!
    strstr($alphabet,$variable2) || $variable2=="\"") {
                          
    $variable=str_replace($variable2,'',$variable);
                              }
                      
    $vnum=$vnum+1;
                      }
          
    $_POST[$key]=$variable;
              
    $postcount=$postcount-1;
              }
      
    ?>
    Last edited by marcele; Jul 5, 2004 at 12:38.

  8. #33
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    Stillwater, MN
    Posts
    96
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kilroy
    I like to use this:
    and to fix the problem with magic_quotes_gpc, this:

    PHP Code:
    /* Fixes the problem of too many slashes when magic_quotes_gpc is ON */
        
    function fix_magic_quotes_gpc()
        {
            if(
    get_magic_quotes_gpc()){
                
    $POST stripslashes($POST);
                
    $GET stripslashes($GET);
            }
        } 
    This is what I use:
    PHP Code:

    function stripMagicQuotes(&$array) {
        if (!
    get_magic_quotes_gpc()) return;
        while(list(
    $key) = each($array)) {
            if (
    is_array($array[$key])) {
                
    stripMagicQuotes($array[$key]);
            } else {
                
    $array[$key] = stripslashes($array[$key]);
            }
        }
        return 
    true;
    }

    stripMagicQuotes($_GET);
    stripMagicQuotes($_POST);
    stripMagicQuotes($_COOKIE); 
    It's recursive, so if you have an array, each element will get fixed.

    The fastest and most effecient way of doing it would be to simply have a replacement for addslashes:
    PHP Code:
    function safeslashes($str) {
        if (
    get_magic_qoutes_gpc()) {
            return 
    $str;
        } else {
            return 
    addslashes($str);
        }

    The problem that occurs with this is that if you want to use a different method of adding slashes, such as mysql_quote(), it gets a whole lot more complicated fast. Stripping them out right away is the best option, in my humble opinion.
    Last edited by Radley; Jul 9, 2004 at 15:46.

  9. #34
    If it aint Dutch it aint much Kilroy's Avatar
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I like that one! It looks really good... will probably use it myself from now on

  10. #35
    If it aint Dutch it aint much Kilroy's Avatar
    Join Date
    Oct 2003
    Location
    The Netherlands
    Posts
    406
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I found this to be even better:

    PHP Code:
    function _fixMagicQuotes(&$item$key)
    {
        if (
    is_array($item)) {
            
    array_walk($item'_fixMagicQuotes');
        } else {
            
    $item stripslashes($item);
        }
    }

    function 
    fixMagicQuotes() {
        static 
    $fixed false;
        if (!
    $fixed && get_magic_quotes_gpc()) {
            
    array_walk($_GET'_fixMagicQuotes');
            
    array_walk($_POST'_fixMagicQuotes');
            
    array_walk($_COOKIE'_fixMagicQuotes');
            
    array_walk($_REQUEST'_fixMagicQuotes');
            
    $fixed true;
        }


  11. #36
    Afraid I can't do that Dave Hal9k's Avatar
    Join Date
    Mar 2004
    Location
    East Anglia, England.
    Posts
    640
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If anyone is reading this post and wants "The War Against Magic Quotes" article I have a google cached shot here:

    http://66.102.11.104/search?q=cache:...c+quotes&hl=en

    The main Pink Goblin site doesn't work (connection refused, timings out) for me, and other mirrors of the article seem to leave out the php code featured.

  12. #37
    SitePoint Member Smurfs Are Tasty's Avatar
    Join Date
    Aug 2004
    Location
    Nashville
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    agree

    I Agree.

  13. #38
    SitePoint Member
    Join Date
    Apr 2004
    Location
    San Diego, CA
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Sledgehammer Data Sanitizing

    I call this “Sledgehammer Data Sanitizing.”

    I use it on a form where I collect text – no email addresses or URL’s – just text. So it will not be useful for forms with those elements, but it sure lets this newbie sleep better at night. It eliminates all characters that are not alpha-numeric, and replaces multiple spaces with a single space. It ain’t pretty, but it’s bulletproof for entering data in a MySQL table or URL post, and it’s as simple as I am. Enjoy:

    PHP Code:

    $value  
    preg_replace('/[^a-zA-Z0-9]/'," ",trim($value));
    $value preg_replace('/\s+/'' ',  $value); 

  14. #39
    SitePoint Guru dagfinn's Avatar
    Join Date
    Jan 2004
    Location
    Oslo, Norway
    Posts
    894
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:

    $value  
    preg_replace('/[^a-zA-Z0-9]/'," ",trim($value)); 
    The expression is almost equivalent to /\W/, except that would allow underscores. So /[\W_]/ or /\W|_/ should have exactly the same effect. But I guess replacing underscore characters isn't necessary.
    Dagfinn Reiersøl
    PHP in Action / Blog / Twitter
    "Making the impossible possible, the possible easy,
    and the easy elegant"
    -- Moshe Feldenkrais


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •