|
Title: Cleaning up your inputs in PHP Post by: Daniel Franklin on September 26, 2007, 10:34:42 AM To get started, head over to the PHP Classes page for the Input Filter Class by Daniel Morris and download the class file. (http://www.phpclasses.org/browse/package/2189.html)
Once you get the class file, here's how you can go about cleaning up your input variables. <?php $before = $_REQUEST['before']; $myFilter = new InputFilter(); $after = $myFilter->process($before); echo $after; ?> So if you pass the string "<script>alert('xss');</script> to the code above, the input filter changes this to alert('xss'); after removing the script tags. All you have to do is to instantiate the InputFilter class with the following line: $myFilter = new InputFilter(); and run your string to be processed using the process class: $after = $myFilter->process($before); You can also send entire arrays to be processed by the InputFilter class: $_POST = $myFilter->process($_POST); This class can also be used to remove specific HTML tags from your input string. Let's say for example, you want to remove all the bold tags < b> and < strong> from your HTML string, all you need to do is : <?php include 'class.inputfilter.php'; $before = $_REQUEST['before']; $tags = array("b","strong"); $myFilter = new InputFilter($tags, array(),1, 1); $after = $myFilter->process($before); echo $after; ?> If we pass the string "<strong> test</strong> hello world" the output of the script will be "test < em>hello world < /em>" If you'd like to retain only the < b> and <strong> tags in the above example, change line 4 to read $myFilter = new InputFilter($tags, array(),0, 1); This will change the output to < strong>test < /strong> hello world Let's break up the constructor for the InputFilter class : InputFilter($tagsArray, $attrArray, $tagsMethod , $attrMethod); $tagsArray is an array of user defined tags $arrtArray is an array of user defined attributes $tagsMethod = 0 or 1 where 0 is used when only user defined tags should be allowed. 1 is used to strip the user defined tags. Similarly $attrMethod is used to retain user defined attributes is it's set as 0 and to strip user defined attributes if set to 1. Let's see the attribute filtering provided by this class in action. Let's take the following HTML string as an example: <img src="test.jpg" target="_blank" onclick="dosomething();" onmouseover="dosomethingelse();"> Let's make an filter to just retain the src and target attributes in the HTML above $tags = array("img","b"); $attr = array("src","target"); $myFilter = new InputFilter($tags, $attr,0, 0); $after = $myFilter->process($before); The output should show <img src="test.jpg" target="_blank> It's as simple as that. Articles Source - Free Articles |