The best way to clean input?

[azz0r_wugg]

Hello.

I've been developing with PHP for nearly a decade now and I'm still having trouble finding the best way to clean input and show safe output.

One example of this is people inputting regular data. Nothing malicious would happen as they're paid workers.

So what I'm wondering is how you'd advise or do it yourself?

Currently I pass title/descriptions through this function

PHP Code:

    public function safe($value) {

        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }

        if (!is_numeric($value) && !is_null($value)) {
            $value = "'" . $this->real_escape_string($value) . "'";
            #$value = "'" . $value . "'";
        }

        if(is_null($value)) {
            $value = 'null';
        }

        return $value;
    } 


Then I stripslashes the output. One thing I was wondering, am I best htmlcharent the output and then decoding it on the edit form and viewing the data.

[logic_earth]

I use: http://us3.php.net/pdo.prepared-statements

[azz0r_wugg]

Well I'm working on a forum for data input.

ATM I'm getting very confused on how I should be doing it!

PHP Code:

    public static function Prepare_Post($string) {

        if (!ereg('[a-z]', $string) && strlen($string) < 5) {
            $string = strtolower($string);
        }

        #$string = self::XSS_Clean($string);
        #$string = preg_replace('/\[img=([0-9]+),([0-9]+)\](.+?)\[\/img\\]/iUse', "reverse_tags(\\1, \\2, '\\3', '', 2)", $string);
        #$string = preg_replace('/\[flash=([0-9]+),([0-9]+),([0-9]+)\](.+?)\[\/flash\\]/iUse', "reverse_tags(\\1, \\2, '\\4', \\3, 1)", $string);
        #$string = preg_replace("/\[img](http:\\/\\/)?([^\\[]*)\\[\/img\\]/iUse", "reverse_tags('', '', '\\2', '', '')", $string);
        $string = preg_replace("#(^|\s)((http|https|news|ftp)://\w+\S+)#i", " [url]\\2[/url]", $string); 
        $string = preg_replace("#(^|\s)www\.([a-z0-9\-]+)\.([a-z0-9\-.\~]+)((?:/[^,\t \n\r]*)?)#i", " [url]http://www.\\2.\\3\\4[/url]", $string);
        $replace = array(
                      "\x00"  => '\x00',
                      "\n"    => '\n',
                      "\r"    => '\r',
                      '\\'    => '\\\\',
                      "'"     => "\'",
                      '"'     => '\"',
                      "\x1a"  => '\x1a'
                    );
        $string = strtr($string, $replace);
        $string    = strip_tags($string);
        $string    = trim($string);
        return $string;
    } 


...but if a user inputs '</div></div></div>' it breaks the page ofcourse. Even with strip_tags();


On the output I fixed it by putting strip_tags at the top

PHP Code:

    public static function InsertBBCode($string, $username=NULL) {
    
        $string    = strip_tags($string);
        $patterns = array('`\[b\](.+?)\[/b\]`is','`\[i\](.+?)\[/i\]`is','`\[u\](.+?)\[/u\]`is', '`\[s\](.+?)\[/s\]`is', 
                          '`\[color=([^\\[]*)\](.+?)\[/color\]`is','`\[size=([1-8]+)\](.+?)\[/size\]`is','`\[list\](.+?)\[/list\]`is'); 
    
        $replaces =  array('<strong>\\1</strong>','<em>\\1</em>','<u>\\1</u>','<strike>\\1</strike>','<span style="color:\1;">\2</span>','<font size="\1">\2</font>',
                            '<ul>\\1</ul>'); 
    
        $string = preg_replace($patterns, $replaces , $string); 
        $string = str_replace("[*]", "<li>", $string);
        $string = str_replace("[hr]", "<hr />", $string);
        $string = preg_replace('`\/me ([^\n\r]*)`is', "<font class=\"slashMe\"><b>*$username \\1</b></font>", $string);
        $string = eregi_replace("\\[font=([^\\[]*)\\]([^\\[]*)\\[/font\\]","<font face=\"\\1\">\\2</font>", $string);
        $string = eregi_replace("\\[align=([^\\[]*)\\]([^\\[]*)\\[/align\\]","<div align=\"\\1\">\\2</div>", $string);
        $string = eregi_replace("\\[email\\]([^\\[]*)\\[/email\\]", "<a href=\"mailto:\\1\">\\1</a>", $string);
        $string = eregi_replace("\\[email=([^\\[]*)\\]([^\\[]*)\\[/email\\]", "<a href=\"mailto:\\1\">\\2</a>", $string);
        $string = eregi_replace("\\[url=([^\\[]*)\\]([^\\[]*)\\[/url\\]","<a href=\"\\1\" target=\"_blank\">\\2</a>", $string);
        $string = preg_replace("/\[url]([^\\[]*)\\[\/url\\]/iUse", "self::ShortenUrl('\\1')", $string);
        $string = preg_replace("#(^|\s)([a-z0-9\-_.]+?)@([\w\-]+\.([\w\-\.]+\.)?[\w]+)#i", "\\1<a href=\"mailto:\\2@\\3\">\\2@\\3</a>", $string);
        $string = preg_replace('/\[img=([0-9]+),([0-9]+)\]([^\\[]*)\\[\/img\\]/iUse', "self::Image_Size_Consider('\\1', '\\2', '\\3')", $string);
        $string = preg_replace ('/\[img\](.*?)\[\/img\]/is','<img src="$1" alt="" />', $string);  
        #$string = preg_replace_callback('#\{([^}]{1,100})\}#i', 'self::WikipediaLink', $string);#see wiki_link for credit
        #$string = Smile::FindAndReplace($string,$smileArray)
        return $string;
    } 


[crmalibu]

A drawback to strip_tags(). Consider the result.

Code:

John sais apples<oranges
because blah blah...

htmlspecialchars() is the single most important function you need to use here.

Making a robust bbcode system is not simple. Consider using something like pears bbcode package. Your current code is vulnerable to javascript/html/css injection. While your users may not be malacious, it's still possible the page may not display correctly if something weird gets posted.