DamienRoche Posted January 6, 2009 Share Posted January 6, 2009 Hi, I created a function for cleaning user input but wanted everybody's opinion of what I could do to make it more secure or if I have made any mistakes with implementing my code. here it is: <?php ##### FOR CLEANING USER INPUT function clean($field, $no, $fid){ $field = stripslashes($field); if(preg_match_all($no, $field, $m)){ echo"Illegal Characters Detected!<br>"; echo "In \"$fid\", you cannot use:<br>"; $arr = array_unique($m[0]); foreach($arr as $m1){ echo "<span style='color:red;font-weight:bold;'>$m1</span><br>"; } } return mysql_real_escape_string($field); } ############# EXAMPLE: $no1 = "/[^a-zA-Z0-9|\-|\?|\:|\.|\'|\\\"|\@|\(|\)|\!|\,|\/|\&|\s]/";####COMMENTS ETC. $no2 = "/[^a-zA-Z|\s]/";####NAMES $no3 = "/[^a-zA-Z0-9|\:|\\/|\-|\.|\?|\&|\%|\s]/";####WEBSITES $no4 = "/\.php|\.js|\.jsp|\.tpl|\.exe|\.txt|\.scr|\.shs|\.pif|\.ini|\.htaccess/"; ####FILES $no5 = "/\.jpg|\.gif/"; ###IMAGES $no_leniant = "/<?php/"; $name = clean($_POST['name'], $no1, "Your Name"); ?> Ignore the no1, no2 etc. -they are work in progress. My concern is that maybe the return mysql_real_escape($field) may not work or be ideal. I'd just like to know what else I can filter or what pre-existing php funcs I can use to make it even more robust. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/139713-is-my-clean-user-input-function-secure-submit-your-own-examples-pls/ Share on other sites More sharing options...
DamienRoche Posted January 6, 2009 Author Share Posted January 6, 2009 Anyone? Anybody have any functions they have created which might help here? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/139713-is-my-clean-user-input-function-secure-submit-your-own-examples-pls/#findComment-731130 Share on other sites More sharing options...
premiso Posted January 6, 2009 Share Posted January 6, 2009 Here is my take at this... <?php function clean($field, $type="string", $html=false){ if ($html) $field = strip_tags($field); if (get_magic_quotes_gpc()) $field = stripslashes($field); switch ($type) { case "int": $field = (int)$field; break; default: case "string": $field = mysql_real_escape_string($field); break; } return $field; } ?> That should work for about anything. You can add more cases to do extra checking etc. The HTML was added cause if you run a blog or something like that, you want to allow html to be passed through. As for your original function, I would add the get_magic_quotes_gpc check in there, so incase it is already off there is no need to strip slashes. But I would actually separate out the "cleaning" portion and put that into a new function like, validate() cause they are really 2 different items, cleaning something just makes it database enterable, validating something is making sure that the stuff that should be allowed is there and disallowed is not there. Quote Link to comment https://forums.phpfreaks.com/topic/139713-is-my-clean-user-input-function-secure-submit-your-own-examples-pls/#findComment-731145 Share on other sites More sharing options...
DamienRoche Posted January 6, 2009 Author Share Posted January 6, 2009 Thanks for that primiso. I'll look at integrating the two. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/139713-is-my-clean-user-input-function-secure-submit-your-own-examples-pls/#findComment-731153 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.