On Mon, 2008-01-21 at 23:15 -0500, nihilism machine wrote:
> Why isnt this cleaning my form $_POST's
>
> class forms {
>
> var $UserInputClean;
>
> // Forms to variables
> function forms() {
> if (count($_POST) > 0) {
> foreach($_POST as $curPostKey => $curPostVal) {
> $curPostKey = forms::CleanInput($curPostVal);
That should probably be something along the lines:
$_POST[$curPostKey] = forms::CleanInput( $curPostVal );
> }
> }
> // Debug
> print_r($_POST);
> }
>
> // Clean XSS
> function CleanInput($UserInput) {
> $allowedtags =
> "<strong><em><a><ul><li><pre><hr><blockquote><img><span>";
> $notallowedattribs = array("@javascript:|onclick|ondblclick|
> onmousedown|onmouseup"
> ."|onmouseover|onmousemove|onmouseout|onkeypress|onkeydown|
> onkeyup@si");
> $changexssto = '';
> $UserInput = preg_replace($notallowedattribs, $changexssto,
> $UserInput);
> $UserInput = strip_tags($text, $allowedtags);
> $UserInput = nl2br($UserInput);
> return $this->UserInputClean;
WTF? BAD MONKEY!!! This function is called statically and so $this is
NOT available. You probably meant to do the following though:
return $UserInput;
> }
> }
Other comments for you...
Don't use hard tabs, use spaces (preferrably 4). Switch to vertically
aligned braces it makes it easier for me to read your code ;)
if( $foo )
{
}
Cheers,
Rob
--
...........................................................
SwarmBuy.com - http://www.swarmbuy.com
Leveraging the buying power of the masses!
...........................................................
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
