[PHP] form cleaner class
What is a better idea? Using this class in my db class and using
CleanInput on the sql statements, or using it in the top of the all
pages with form input to clean the $_POST's? Also, any ideas or
comments on improving the class?
?php
class FormCleaner {
// Initializer
function __construct() {
if (count($_POST) 0) {
foreach($_POST as $curPostKey = $curPostVal) {
$_POST[$curPostKey] =
$this-CleanInput($curPostVal);
}
}
}
// Clean Form Input
public function CleanInput($UserInput) {
$allowedtags = b/bi/ih1/h1a/aimgul/ulli/
liblockquote/blockquote;
$notallowedattribs = array(@javascript:|onclick|ondblclick|
onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
onkeydown|[EMAIL PROTECTED]);
$changexssto = '';
$UserInput = preg_replace($notallowedattribs, $changexssto,
$UserInput);
$UserInput = strip_tags($UserInput, $allowedtags);
$UserInput = nl2br($UserInput);
return $UserInput;
}
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] form cleaner class
On Thu, Feb 21, 2008 at 8:53 PM, nihilism machine
[EMAIL PROTECTED] wrote:
What is a better idea? Using this class in my db class and using
CleanInput on the sql statements, or using it in the top of the all
pages with form input to clean the $_POST's? Also, any ideas or
comments on improving the class?
?php
class FormCleaner {
// Initializer
function __construct() {
if (count($_POST) 0) {
foreach($_POST as $curPostKey = $curPostVal) {
$_POST[$curPostKey] =
$this-CleanInput($curPostVal);
}
}
}
// Clean Form Input
public function CleanInput($UserInput) {
$allowedtags =
b/bi/ih1/h1a/aimgul/ulli/
liblockquote/blockquote;
$notallowedattribs = array(@javascript:|onclick|ondblclick|
onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
onkeydown|[EMAIL PROTECTED]);
$changexssto = '';
$UserInput = preg_replace($notallowedattribs, $changexssto,
$UserInput);
$UserInput = strip_tags($UserInput, $allowedtags);
$UserInput = nl2br($UserInput);
return $UserInput;
}
}
?
Does this line work?:
foreach($_POST as $curPostKey = $curPostVal) {
$_POST[$curPostKey] =
$this-CleanInput($curPostVal);
}
If I recall correctly, you can't modify the array within a foreach
block... or am I going crazy?
--
-Casey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] form cleaner class
On Thu, Feb 21, 2008 at 8:59 PM, Casey [EMAIL PROTECTED] wrote:
On Thu, Feb 21, 2008 at 8:53 PM, nihilism machine
[EMAIL PROTECTED] wrote:
What is a better idea? Using this class in my db class and using
CleanInput on the sql statements, or using it in the top of the all
pages with form input to clean the $_POST's? Also, any ideas or
comments on improving the class?
?php
class FormCleaner {
// Initializer
function __construct() {
if (count($_POST) 0) {
foreach($_POST as $curPostKey = $curPostVal) {
$_POST[$curPostKey] =
$this-CleanInput($curPostVal);
}
}
}
// Clean Form Input
public function CleanInput($UserInput) {
$allowedtags =
b/bi/ih1/h1a/aimgul/ulli/
liblockquote/blockquote;
$notallowedattribs =
array(@javascript:|onclick|ondblclick|
onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
onkeydown|[EMAIL PROTECTED]);
$changexssto = '';
$UserInput = preg_replace($notallowedattribs, $changexssto,
$UserInput);
$UserInput = strip_tags($UserInput, $allowedtags);
$UserInput = nl2br($UserInput);
return $UserInput;
}
}
?
Does this line work?:
foreach($_POST as $curPostKey = $curPostVal) {
$_POST[$curPostKey] =
$this-CleanInput($curPostVal);
}
If I recall correctly, you can't modify the array within a foreach
block... or am I going crazy?
--
-Casey
Nevermind, wrong language! :P
--
-Casey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] form cleaner class
-Original Message-
From: nihilism machine [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 21, 2008 11:53 PM
To: php-general@lists.php.net
Subject: [PHP] form cleaner class
What is a better idea? Using this class in my db class and using
CleanInput on the sql statements, or using it in the top of the all
pages with form input to clean the $_POST's?
Will all your $_POST variables contain HTML code that must be filtered out
except a set of tags that must be kept?
Otherwise, it's not worth to filter everything everytime (it will become a
performance issue).
IMO, if you expect an integer for some *whatever* input variable, it's best to
do:
$whatever = (int)$_POST['whatever'];
Also, any ideas or
comments on improving the class?
I'd check out how well-known PHP Frameworks/CMS clean out HTML code to prevent
XSS attacks (If somebody has done the job already, you just need to improve it -
if you ever can). And what other precautions they take.
?php
class FormCleaner {
// Initializer
function __construct() {
if (count($_POST) 0) {
foreach($_POST as $curPostKey = $curPostVal) {
$_POST[$curPostKey] = $this-
CleanInput($curPostVal);
}
}
}
// Clean Form Input
public function CleanInput($UserInput) {
$allowedtags =
b/bi/ih1/h1a/aimgul/ulli/
liblockquote/blockquote;
$notallowedattribs = array(@javascript:|onclick|ondblclick|
onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
onkeydown|[EMAIL PROTECTED]);
$changexssto = '';
$UserInput = preg_replace($notallowedattribs, $changexssto,
$UserInput);
$UserInput = strip_tags($UserInput, $allowedtags);
$UserInput = nl2br($UserInput);
return $UserInput;
}
}
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Regards,
Rob
Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 |
TEL 954-607-4207 | FAX 954-337-2695 |
Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE: bestplace |
Web: bestplace.biz | Web: seo-diy.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
