| Is Windows 7 the new XP? | Apple Macintonsh Computer get Viruses |
| Submitted On: Friday, October 16, 2009 at 3:18:20 PM |
Toasty Please login to rate this submission. Link to this Submission Blog and Forum Link HTML link Facebook / Pagereaders
|
DO NOT ATTEMPT: Articles provided here are for INFORMATIONAL PURPOSES ONLY. DO NOT undertake any project based upon any information obtained on the internet, including this website. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site. Please read the Legal page for more information. Filtering Input in PHP A quick primer. This is meant to cover some variable cleansing in PHP, which is an advanced topic, but a must read for programmers. Proper filtering methods will result in better security in your application, and will lead to better stability as well. Variables you'll want to filter Any variable not generated by the script in the current scope, or used in a script. This becomes even more important for those who have REGISTER_GLOBALS enabled in PHP (a major security problem). To see an issue with register globals, check out Web Application Security with PHP. Alternately, read more about them on PHP.NET. Filtering Functions $val = strip_tags($tobefiltered,"<allowedtag>"); A working example: $val = "<b><i>HELLO</i></b>"; $val = strip_tags($val,"<b>"); echo $val; This will output: HELLO This is because you allowed the BOLD tag (B) to go through. It is imperative to note that the HTML <b> and XHTML <strong> are different, and interchanging them wouldn't work. You'd have to include both exceptions. The same applies with HTML <i> and XHTML <em> You SHOULD NOT use this with exceptions however, or at least I don't trust them. The best use of the function is as below: $val = strip_tags($val); Notice I didn't specify the second argument, causing strip_tags to eliminate all tags. Regular Expressions Regular expressions are a language of their own, and honestly, they vary by protocol (Perl vs. PHP, vs. others). Thankfully, PHP offers a preg_replace function that actually uses Perl's RegEx interpreter. I will be demonstrating ereg_replace however, which is PHP's typical RegEx handler. RegEx is a very powerful tool to have, allowing you to validate e-mail addresses, dates, server logs, addresses, and best of all: all input. Since going through all possible requirements for filtering and validation (like listed above), I find it easier to point you to a resource on everything. But for simple input, here's how it's used: $var = ereg_replace("Expression","With","text"); Expression is the actual RegEx code. With is what you'll be replacing the "bad part" with, typically you'll want to leave it blank, as in: "". Text is the text to filter. $var = "HELLO@#$ HOW ARE YOU?123!!345"; $var = ereg_replace("[^A-Za-z0-9]", "", $var); echo $var; This will output: HELLOHOWAREYOU123345 Reason being: It also filters out spaces -- anything that isn't A-Za-z0-9 (capital and lowercase A through Z, and 0 through 9). This is especially useful for the $_GET array: For example: http://www.youn00b.com/?mode=view You can filter out the MODE string this way to avoid arbitrary text. This is especially good for the $_COOKIE array too, for example, if you're using MD5() for a cookie v...
|
||||
| Tags: filtering, input, php, str_ireplace, tags, strip_tags, regular, expression, str_ireplace, ereg_replace |
| Friday, October 16th, 2009 at 3:45:56 PM #23046 |
 DeadLazyBum Site Admin '♥' Level 33 Posts: 2,962 Submissions: 137  | 5*. I knew most of this because of you already. |
  |
