To get started, head over to the PHP Classes page for the Input Filter Class by Daniel Morris and download the class file. (
http://www.phpclasses.org/browse/package/2189.html)
Once you get the class file, here's how you can go about cleaning up your input variables.
<?php $before = $_REQUEST['before']; $myFilter = new InputFilter(); $after = $myFilter->process($before); echo $after; ?>
So if you pass the string "<script>alert('xss');</script> to the code above, the input filter changes this to alert('xss'); after removing the script tags. All you have to do is to instantiate the InputFilter class with the following line: $myFilter = new InputFilter();
and run your string to be processed using the process class:
$after = $myFilter->process($before);
You can also send entire arrays to be processed by the InputFilter class:
$_POST = $myFilter->process($_POST); This class can also be used to remove specific HTML tags from your input string. Let's say for example, you want to remove all the bold tags < b> and < strong> from your HTML string, all you need to do is :
<?php include 'class.inputfilter.php'; $before = $_REQUEST['before']; $tags = array("b","strong"); $myFilter = new InputFilter($tags, array(),1, 1); $after = $myFilter->process($before); echo $after; ?>
If we pass the string "<strong> test</strong>
hello world" the output of the script will be "test < em>hello world < /em>"
If you'd like to retain only the < b> and <strong> tags in the above example, change line 4 to read
$myFilter = new InputFilter($tags, array(),0, 1);
This will change the output to < strong>test < /strong> hello world Let's break up the constructor for the InputFilter class :
InputFilter($tagsArray, $attrArray, $tagsMethod , $attrMethod);
$tagsArray is an array of user defined tags $arrtArray is an array of user defined attributes $tagsMethod = 0 or 1 where 0 is used when only user defined tags should be allowed. 1 is used to strip the user defined tags. Similarly $attrMethod is used to retain user defined attributes is it's set as 0 and to strip user defined attributes if set to 1.
Let's see the attribute filtering provided by this class in action. Let's take the following HTML string as an example:
<img src="test.jpg" target="_blank" onclick="dosomething();" onmouseover="dosomethingelse();">
Let's make an filter to just retain the src and target attributes in the HTML above
$tags = array("img","b"); $attr = array("src","target"); $myFilter = new InputFilter($tags, $attr,0, 0); $after = $myFilter->process($before);
The output should show
<img src="test.jpg" target="_blank>
It's as simple as that.
Articles Source - Free Articles