[PHP] form cleaner class
What is a better idea? Using this class in my db class and using CleanInput on the sql statements, or using it in the top of the all pages with form input to clean the $_POST's? Also, any ideas or comments on improving the class? ?php class FormCleaner { // Initializer function __construct() { if (count($_POST) 0) { foreach($_POST as $curPostKey = $curPostVal) { $_POST[$curPostKey] = $this-CleanInput($curPostVal); } } } // Clean Form Input public function CleanInput($UserInput) { $allowedtags = b/bi/ih1/h1a/aimgul/ulli/ liblockquote/blockquote; $notallowedattribs = array(@javascript:|onclick|ondblclick| onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress| onkeydown|[EMAIL PROTECTED]); $changexssto = ''; $UserInput = preg_replace($notallowedattribs, $changexssto, $UserInput); $UserInput = strip_tags($UserInput, $allowedtags); $UserInput = nl2br($UserInput); return $UserInput; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] form cleaner class
On Thu, Feb 21, 2008 at 8:53 PM, nihilism machine [EMAIL PROTECTED] wrote: What is a better idea? Using this class in my db class and using CleanInput on the sql statements, or using it in the top of the all pages with form input to clean the $_POST's? Also, any ideas or comments on improving the class? ?php class FormCleaner { // Initializer function __construct() { if (count($_POST) 0) { foreach($_POST as $curPostKey = $curPostVal) { $_POST[$curPostKey] = $this-CleanInput($curPostVal); } } } // Clean Form Input public function CleanInput($UserInput) { $allowedtags = b/bi/ih1/h1a/aimgul/ulli/ liblockquote/blockquote; $notallowedattribs = array(@javascript:|onclick|ondblclick| onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress| onkeydown|[EMAIL PROTECTED]); $changexssto = ''; $UserInput = preg_replace($notallowedattribs, $changexssto, $UserInput); $UserInput = strip_tags($UserInput, $allowedtags); $UserInput = nl2br($UserInput); return $UserInput; } } ? Does this line work?: foreach($_POST as $curPostKey = $curPostVal) { $_POST[$curPostKey] = $this-CleanInput($curPostVal); } If I recall correctly, you can't modify the array within a foreach block... or am I going crazy? -- -Casey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] form cleaner class
On Thu, Feb 21, 2008 at 8:59 PM, Casey [EMAIL PROTECTED] wrote: On Thu, Feb 21, 2008 at 8:53 PM, nihilism machine [EMAIL PROTECTED] wrote: What is a better idea? Using this class in my db class and using CleanInput on the sql statements, or using it in the top of the all pages with form input to clean the $_POST's? Also, any ideas or comments on improving the class? ?php class FormCleaner { // Initializer function __construct() { if (count($_POST) 0) { foreach($_POST as $curPostKey = $curPostVal) { $_POST[$curPostKey] = $this-CleanInput($curPostVal); } } } // Clean Form Input public function CleanInput($UserInput) { $allowedtags = b/bi/ih1/h1a/aimgul/ulli/ liblockquote/blockquote; $notallowedattribs = array(@javascript:|onclick|ondblclick| onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress| onkeydown|[EMAIL PROTECTED]); $changexssto = ''; $UserInput = preg_replace($notallowedattribs, $changexssto, $UserInput); $UserInput = strip_tags($UserInput, $allowedtags); $UserInput = nl2br($UserInput); return $UserInput; } } ? Does this line work?: foreach($_POST as $curPostKey = $curPostVal) { $_POST[$curPostKey] = $this-CleanInput($curPostVal); } If I recall correctly, you can't modify the array within a foreach block... or am I going crazy? -- -Casey Nevermind, wrong language! :P -- -Casey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] form cleaner class
-Original Message- From: nihilism machine [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 11:53 PM To: php-general@lists.php.net Subject: [PHP] form cleaner class What is a better idea? Using this class in my db class and using CleanInput on the sql statements, or using it in the top of the all pages with form input to clean the $_POST's? Will all your $_POST variables contain HTML code that must be filtered out except a set of tags that must be kept? Otherwise, it's not worth to filter everything everytime (it will become a performance issue). IMO, if you expect an integer for some *whatever* input variable, it's best to do: $whatever = (int)$_POST['whatever']; Also, any ideas or comments on improving the class? I'd check out how well-known PHP Frameworks/CMS clean out HTML code to prevent XSS attacks (If somebody has done the job already, you just need to improve it - if you ever can). And what other precautions they take. ?php class FormCleaner { // Initializer function __construct() { if (count($_POST) 0) { foreach($_POST as $curPostKey = $curPostVal) { $_POST[$curPostKey] = $this- CleanInput($curPostVal); } } } // Clean Form Input public function CleanInput($UserInput) { $allowedtags = b/bi/ih1/h1a/aimgul/ulli/ liblockquote/blockquote; $notallowedattribs = array(@javascript:|onclick|ondblclick| onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress| onkeydown|[EMAIL PROTECTED]); $changexssto = ''; $UserInput = preg_replace($notallowedattribs, $changexssto, $UserInput); $UserInput = strip_tags($UserInput, $allowedtags); $UserInput = nl2br($UserInput); return $UserInput; } } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Regards, Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 | Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE: bestplace | Web: bestplace.biz | Web: seo-diy.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php