RE: [PHP] form cleaner class

Thu, 21 Feb 2008 21:10:41 -0800 

> -----Original Message-----
> From: nihilism machine [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 21, 2008 11:53 PM
> To: php-general@lists.php.net
> Subject: [PHP] form cleaner class
> 
> What is a better idea? Using this class in my db class and using
> CleanInput on the sql statements, or using it in the top of the all
> pages with form input to clean the $_POST's?

Will all your $_POST variables contain HTML code that must be filtered out
except a set of tags that must be kept?
Otherwise, it's not worth to filter everything everytime (it will become a
performance issue).
IMO, if you expect an integer for some *whatever* input variable, it's best to
do:

$whatever = (int)$_POST['whatever'];

> Also, any ideas or
> comments on improving the class?

I'd check out how well-known PHP Frameworks/CMS clean out HTML code to prevent
XSS attacks (If somebody has done the job already, you just need to improve it -
if you ever can). And what other precautions they take.

> 
> <?php
> 
> class FormCleaner {
> 
>       // Initializer
>       function __construct() {
>               if (count($_POST) > 0) {
>                       foreach($_POST as $curPostKey => $curPostVal) {
>                               $_POST[$curPostKey] = $this-
> >CleanInput($curPostVal);
>                       }
>               }
>       }
> 
>       // Clean Form Input
>       public function CleanInput($UserInput) {
>               $allowedtags =
> "<b></b><i></i><h1></h1><a></a><img><ul></ul><li></
> li><blockquote></blockquote>";
>               $notallowedattribs = array("@javascript:|onclick|ondblclick|
> onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
> onkeydown|[EMAIL PROTECTED]");
>               $changexssto = '';
>               $UserInput = preg_replace($notallowedattribs, $changexssto,
> $UserInput);
>               $UserInput = strip_tags($UserInput, $allowedtags);
>               $UserInput = nl2br($UserInput);
>               return $UserInput;
>       }
> }
> 
> ?>
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

Regards,

Rob


Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 |
TEL 954-607-4207 | FAX 954-337-2695 | 
Email: [EMAIL PROTECTED]  | MSN Chat: [EMAIL PROTECTED]  |  SKYPE: bestplace |
 Web: bestplace.biz  | Web: seo-diy.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to