To get started, head over to the PHP Classes page for the Input Filter Class by Daniel Morris and download the class file. (http://www.phpclasses.org/browse/package/2189.html)

Once you get the class file, here's how you can go about cleaning up your input variables.

<?php $before = $_REQUEST['before']; $myFilter = new InputFilter(); $after = $myFilter->process($before); echo $after; ?>

So if you pass the string "<script>alert('xss');</script> to the code above, the input filter changes this to alert('xss'); after removing the script tags. All you have to do is to instantiate the InputFilter class with the following line: $myFilter = new InputFilter();

and run your string to be processed using the process class:

$after = $myFilter->process($before);

You can also send entire arrays to be processed by the InputFilter class:

$_POST = $myFilter->process($_POST); This class can also be used to remove specific HTML tags from your input string. Let's say for example, you want to remove all the bold tags < b> and < strong> from your HTML string, all you need to do is :

<?php include 'class.inputfilter.php'; $before = $_REQUEST['before']; $tags = array("b","strong"); $myFilter = new InputFilter($tags, array(),1, 1); $after = $myFilter->process($before); echo $after; ?>

If we pass the string "<strong> test</strong> hello world" the output of the script will be "test < em>hello world < /em>"

If you'd like to retain only the < b> and <strong> tags in the above example, change line 4 to read

$myFilter = new InputFilter($tags, array(),0, 1);

This will change the output to < strong>test < /strong> hello world Let's break up the constructor for the InputFilter class :

InputFilter($tagsArray, $attrArray, $tagsMethod , $attrMethod);

$tagsArray is an array of user defined tags $arrtArray is an array of user defined attributes $tagsMethod = 0 or 1 where 0 is used when only user defined tags should be allowed. 1 is used to strip the user defined tags. Similarly $attrMethod is used to retain user defined attributes is it's set as 0 and to strip user defined attributes if set to 1.

Let's see the attribute filtering provided by this class in action. Let's take the following HTML string as an example:

<img src="test.jpg" target="_blank" onclick="dosomething();" onmouseover="dosomethingelse();">

Let's make an filter to just retain the src and target attributes in the HTML above

$tags = array("img","b"); $attr = array("src","target"); $myFilter = new InputFilter($tags, $attr,0, 0); $after = $myFilter->process($before);

The output should show

<img src="test.jpg" target="_blank>

It's as simple as that.

Articles Source - Free Articles