SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    The best way to clean input?

    Hello.

    I've been developing with PHP for nearly a decade now and I'm still having trouble finding the best way to clean input and show safe output.

    One example of this is people inputting regular data. Nothing malicious would happen as they're paid workers.

    So what I'm wondering is how you'd advise or do it yourself?

    Currently I pass title/descriptions through this function

    PHP Code:
        public function safe($value) {

            if (
    get_magic_quotes_gpc()) {
                
    $value stripslashes($value);
            }

            if (!
    is_numeric($value) && !is_null($value)) {
                
    $value "'" $this->real_escape_string($value) . "'";
                
    #$value = "'" . $value . "'";
            
    }

            if(
    is_null($value)) {
                
    $value 'null';
            }

            return 
    $value;
        } 
    Then I stripslashes the output. One thing I was wondering, am I best htmlcharent the output and then decoding it on the edit form and viewing the data.

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well I'm working on a forum for data input.

    ATM I'm getting very confused on how I should be doing it!

    PHP Code:
        public static function Prepare_Post($string) {

            if (!
    ereg('[a-z]'$string) && strlen($string) < 5) {
                
    $string strtolower($string);
            }

            
    #$string = self::XSS_Clean($string);
            #$string = preg_replace('/\[img=([0-9]+),([0-9]+)\](.+?)\[\/img\\]/iUse', "reverse_tags(\\1, \\2, '\\3', '', 2)", $string);
            #$string = preg_replace('/\[flash=([0-9]+),([0-9]+),([0-9]+)\](.+?)\[\/flash\\]/iUse', "reverse_tags(\\1, \\2, '\\4', \\3, 1)", $string);
            #$string = preg_replace("/\[img](http:\\/\\/)?([^\\[]*)\\[\/img\\]/iUse", "reverse_tags('', '', '\\2', '', '')", $string);
            
    $string preg_replace("#(^|\s)((http|https|news|ftp)://\w+\S+)#i"" [url]\\2[/url]"$string); 
            
    $string preg_replace("#(^|\s)www\.([a-z0-9\-]+)\.([a-z0-9\-.\~]+)((?:/[^,\t \n\r]*)?)#i"" [url]http://www.\\2.\\3\\4[/url]"$string);
            
    $replace = array(
                          
    "\x00"  => '\x00',
                          
    "\n"    => '\n',
                          
    "\r"    => '\r',
                          
    '\\'    => '\\\\',
                          
    "'"     => "\'",
                          
    '"'     => '\"',
                          
    "\x1a"  => '\x1a'
                        
    );
            
    $string strtr($string$replace);
            
    $string    strip_tags($string);
            
    $string    trim($string);
            return 
    $string;
        } 
    ...but if a user inputs '</div></div></div>' it breaks the page ofcourse. Even with strip_tags();


    On the output I fixed it by putting strip_tags at the top

    PHP Code:
        public static function InsertBBCode($string$username=NULL) {
        
            
    $string    strip_tags($string);
            
    $patterns = array('`\[b\](.+?)\[/b\]`is','`\[i\](.+?)\[/i\]`is','`\[u\](.+?)\[/u\]`is''`\[s\](.+?)\[/s\]`is'
                              
    '`\[color=([^\\[]*)\](.+?)\[/color\]`is','`\[size=([1-8]+)\](.+?)\[/size\]`is','`\[list\](.+?)\[/list\]`is'); 
        
            
    $replaces =  array('<strong>\\1</strong>','<em>\\1</em>','<u>\\1</u>','<strike>\\1</strike>','<span style="color:\1;">\2</span>','<font size="\1">\2</font>',
                                
    '<ul>\\1</ul>'); 
        
            
    $string preg_replace($patterns$replaces $string); 
            
    $string str_replace("[*]""<li>"$string);
            
    $string str_replace("[hr]""<hr />"$string);
            
    $string preg_replace('`\/me ([^\n\r]*)`is'"<font class=\"slashMe\"><b>*$username \\1</b></font>"$string);
            
    $string eregi_replace("\\[font=([^\\[]*)\\]([^\\[]*)\\[/font\\]","<font face=\"\\1\">\\2</font>"$string);
            
    $string eregi_replace("\\[align=([^\\[]*)\\]([^\\[]*)\\[/align\\]","<div align=\"\\1\">\\2</div>"$string);
            
    $string eregi_replace("\\[email\\]([^\\[]*)\\[/email\\]""<a href=\"mailto:\\1\">\\1</a>"$string);
            
    $string eregi_replace("\\[email=([^\\[]*)\\]([^\\[]*)\\[/email\\]""<a href=\"mailto:\\1\">\\2</a>"$string);
            
    $string eregi_replace("\\[url=([^\\[]*)\\]([^\\[]*)\\[/url\\]","<a href=\"\\1\" target=\"_blank\">\\2</a>"$string);
            
    $string preg_replace("/\[url]([^\\[]*)\\[\/url\\]/iUse""self::ShortenUrl('\\1')"$string);
            
    $string preg_replace("#(^|\s)([a-z0-9\-_.]+?)@([\w\-]+\.([\w\-\.]+\.)?[\w]+)#i""\\1<a href=\"mailto:\\2@\\3\">\\2@\\3</a>"$string);
            
    $string preg_replace('/\[img=([0-9]+),([0-9]+)\]([^\\[]*)\\[\/img\\]/iUse'"self::Image_Size_Consider('\\1', '\\2', '\\3')"$string);
            
    $string preg_replace ('/\[img\](.*?)\[\/img\]/is','<img src="$1" alt="" />'$string);  
            
    #$string = preg_replace_callback('#\{([^}]{1,100})\}#i', 'self::WikipediaLink', $string);#see wiki_link for credit
            #$string = Smile::FindAndReplace($string,$smileArray)
            
    return $string;
        } 

  4. #4
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A drawback to strip_tags(). Consider the result.
    Code:
    John sais apples<oranges
    because blah blah...
    htmlspecialchars() is the single most important function you need to use here.

    Making a robust bbcode system is not simple. Consider using something like pears bbcode package. Your current code is vulnerable to javascript/html/css injection. While your users may not be malacious, it's still possible the page may not display correctly if something weird gets posted.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •