RE: form cleaner class

Andrés Robinet <agrobinet@xxxxxxxxxxxxx> · Fri, 22 Feb 2008 00:07:54 -0500

> -----Original Message-----
> From: nihilism machine [mailto:nihilismmachine@xxxxxxxxx]
> Sent: Thursday, February 21, 2008 11:53 PM
> To: php-general@xxxxxxxxxxxxx
> Subject:  form cleaner class
> 
> What is a better idea? Using this class in my db class and using
> CleanInput on the sql statements, or using it in the top of the all
> pages with form input to clean the $_POST's?

Will all your $_POST variables contain HTML code that must be filtered out
except a set of tags that must be kept?
Otherwise, it's not worth to filter everything everytime (it will become a
performance issue).
IMO, if you expect an integer for some *whatever* input variable, it's best to
do:

$whatever = (int)$_POST['whatever'];

> Also, any ideas or
> comments on improving the class?

I'd check out how well-known PHP Frameworks/CMS clean out HTML code to prevent
XSS attacks (If somebody has done the job already, you just need to improve it -
if you ever can). And what other precautions they take.

> 
> <?php
> 
> class FormCleaner {
> 
> 	// Initializer
> 	function __construct() {
> 		if (count($_POST) > 0) {
> 			foreach($_POST as $curPostKey => $curPostVal) {
>    				$_POST[$curPostKey] = $this-
> >CleanInput($curPostVal);
> 			}
> 		}
> 	}
> 
> 	// Clean Form Input
> 	public function CleanInput($UserInput) {
> 		$allowedtags =
> "<b></b><i></i><h1></h1><a></a><img><ul></ul><li></
> li><blockquote></blockquote>";
> 		$notallowedattribs = array("@javascript:|onclick|ondblclick|
> onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
> onkeydown|onkeyup@si");
> 		$changexssto = '';
> 		$UserInput = preg_replace($notallowedattribs, $changexssto,
> $UserInput);
> 		$UserInput = strip_tags($UserInput, $allowedtags);
> 		$UserInput = nl2br($UserInput);
> 		return $UserInput;
> 	}
> }
> 
> ?>
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

Regards,

Rob

Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 |
TEL 954-607-4207 | FAX 954-337-2695 | 
Email: info@xxxxxxxxxxxxx  | MSN Chat: best@xxxxxxxxxxxxx  |  SKYPE: bestplace |
 Web: bestplace.biz  | Web: seo-diy.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php