What is a better idea? Using this class in my db class and using
CleanInput on the sql statements, or using it in the top of the all
pages with form input to clean the $_POST's? Also, any ideas or
comments on improving the class?
<?php
class FormCleaner {
// Initializer
function __construct() {
if (count($_POST) > 0) {
foreach($_POST as $curPostKey => $curPostVal) {
$_POST[$curPostKey] = $this->CleanInput($curPostVal);
}
}
}
// Clean Form Input
public function CleanInput($UserInput) {
$allowedtags = "<b></b><i></i><h1></h1><a></a><img><ul></ul><li></
li><blockquote></blockquote>";
$notallowedattribs = array("@javascript:|onclick|ondblclick|
onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
onkeydown|onkeyup@si");
$changexssto = '';
$UserInput = preg_replace($notallowedattribs, $changexssto,
$UserInput);
$UserInput = strip_tags($UserInput, $allowedtags);
$UserInput = nl2br($UserInput);
return $UserInput;
}
}
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
