Input filtering

[laughingbuddha]

Hi all,

I've just chucked together a quick brute force strip tags function.

Code: Select all

function StripTags($string) {
        $string = $this->EncodeUTF8($string);
        $string = preg_replace("/\<(.*?)\>(.*?)\<\/(.*?)\>/u", "$2", $string);
        $string = strip_tags($string);
        return $string;
}

It seems to work happly at the moment, and I've even used some XSS example code to test it out, and all seems to be ok.

I'm now thinking of introducing it as a standard eliment to clean all input before it hits the database, or is printed to screen. This will come into play before I use stripslashes() and mysql_real_escape(). I don't want users injecting HTML code into any forms.

Is this a good idea, or is there any other processing I should do before user input is submitted to the database as part of an SQL?

Thanks

Matt

[faris]

Wow. Looks good. You can always add an htmlentities() I suppose?

I never know when to stop with input sanitization.

I'd love it if other folks would comment? Let's create the ultimate sanitize() function? Maybe with an argument that allows you to select striping non-Alpha, non-alpha with space and CR/NL, non-alpha but allows international chars....that sort of thing

How about it folks?

Faris.

[laughingbuddha]

One thing I forgot to mention is that it calls another function at the begining to convert the string to UTF-8, if it hasn't been already. But good heads up on htmlentities(). I have another selection of functions for text processing that include htmlentities() as well as eliments like:

Code: Select all

$string = str_replace("\r\n\r\n", "<br /><br />", $string);

for database line breaks and new lines.

I know it's a little extreme, and basicly won't allow any tag that starts with < and ends with > at all. Some sites allow users to add a limited number of HTML tags, but I will be allowing only a limited number of bbcode tags, and those have to fit a set rule.

I used the XSS Cheat Sheet at http://www.shocking.com/~rsnake/xss.html and it passed allot of the examples on the site. Of course the server will be running ASL, but it can't hurt, and not all my web development clients use my hosting platform, plus I run 2 VPS as well that don't support ASL.

As an additional level I also use the following safe string function after I used the strip tags function:

Code: Select all

function safeString($var) {
	$var = stripslashes($var);
        $var = mysql_real_escape_string($var);
        return $var;
}

I only program in OOP now, which is a move I made about a year and a half ago. Building classes makes life allot easier when working on sites and adding new features to current projects. I wouldn't say I'm the greatest php programmer in the world, but I've learned a lot over the last 2 years, and development my style/method allot since I began website design/development almost 10 years ago. Online guides, friends (thanks chris at stillbreathing.co.uk) and forums have helped me allot among the pile of books I have collected.

I've never published/released any of my classes or scripts, although I have considered it. One of my favourite classes is my email sender class. It uses mail() function in PHP, and with a lot of research I've manager to construct a class that happly conforms, and doesn't get filtered by spam filters. This includes spamassissan used by ASL and also Hotmails spam filters.

I always welcome peoples feedback, as its the only way I can learn and improve.

Matt