PHP clean $_POST

[cordoprod]

Hi..

I have a wysiwyg editor (tinymce) and use mysql database.

What i want to do is: when the user submits the form i want to kind of clean the $_POST.

 

I do not want following:

- javascript (of any kind)

- flash (but, from allowed pages)

 

I am trying but can't really figure out what to do

[gaza165]

you need to use htmlentities or mysql_real_escape_string to filter out javascript and html and sql injection etc.

[printf]

Setup a pre-parser that defines your rules, (CAST BY TYPE), clean by the (TYPE) the variable is (CAST) too! You can use the PHP filter_ extension or design your own.

[cordoprod]

Can you guys please be a more specific? Maybe show some code?

 

Anyways, i found out how to remove javascript:

$profil = preg_replace('#<script[^>]*>.*?</script>#is','',$profil);

 

But, for the flash part.. any ideas?

[gaza165]

for my blog i created my own filter... i allowed links, videos and images to be included into the database and was able to filter.

 

i would look into BBCode Parser to allow users to enter their own content

[cordoprod]

Hmm...

But i want to be able to allow the most but js and flash (with exceptions e.g youtube)

[gaza165]

so do you want to allow youtube videos or not allow youtube videos??

[cordoprod]

I want to allow youtube videos, but anything else, take away.

[gaza165]

so what if i provided you with a preg_replace to filter swf files

 

e.g.

 

www.domain.com/flash.swf

[cordoprod]

yes that is what i am looking for

[printf]

Let say you have these form inputs...

 

$_POST['input_one'];
$_POST['input_two'];
$_POST['input_three'];

 

We all know the SUPER GLOBALS are saturated with all incoming variables that are set by the METHOD they are coming in as "GET, POST". So we create a filter to handle those variables. We do not handle all the "GET, POST" variables, only the ones we are expecting because we do not want to open the door for XXS actions that can incur if we process all incoming variables. So the logical approach is to perform a cleaning action on only the variables that are expected, which keeps your application safe and the SUPER GLOBALS will only be filled with variables that are expected, and they will be CAST & CLEANED by their TYPE.

 

Now I understand you only want to get something done, but why not spend a little time and write something that does this for all your scripts, because it should always be done at script initialization! If you want a basic example, tell me I and I give you one.

 

 

[cordoprod]

Yes i can see that, but i have figured out the javascript but i am struggling with the flash part.

I you could show me some code i would be happy.