Created
June 22, 2012 07:00
-
-
Save mattpass/2970878 to your computer and use it in GitHub Desktop.
PHP var security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Looking for functions to clean vars for different situations. | |
| Can you improve on these, returning strings, urls and numbers: | |
| function strClean($var) { | |
| // returns converted entities where there are HTML entity equivalents | |
| return htmlentities($var, ENT_QUOTES, "UTF-8"); | |
| } | |
| function urlClean($var) { | |
| // returns a-z A-Z 0-9 / - . _ chars only | |
| return preg_replace('/[^a-zA-Z0-9\/\-\._]/si','',$var); | |
| } | |
| function numClean($var) { | |
| // returns a number, whole or decimal or null | |
| return is_numeric($var) ? floatval($var) : false; | |
| } |
To clean an URL I would use parse_url() and work with the returned array. To clean a number I always use (int)$var; and (float)$var;. You can use intval($var); and floatval($var); if you want. Also there is an is_numeric() function so your code may look like this:
function numClean($var) {
return is_numeric($var) ? floatval($var) : false;
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@jedisct1 Many thanks for the advice and sorry I didn't provide context.
Usage will be sanitising user input via GET & POST and either rendered to screen or used in a SQL command, though we'll use PDO so they're safe (?) anyway. Aiming to prevent user hack attempts & bot attacks, especially SQL injection, XSS and remote file ref injection. Am not using a template, it's a PHP & HTML mix and want to call the appropriate function to get back a clean value.
Am using htmlentities in strClean, as it's the same as htmlspecialchars but also covers html equivalents. htmlspecialchars doesn't protect against \ or 0x attacks. I believe htmlentities extends the idea of htmlspecialchars to all covert chars with html equivalents or kills them.
urlClean is supposed to only allow safe chars in URLs, including the query string. Need something better here I think as / and & can form dangerous chars.
No, you're right, I don't want to return 0 in numClean on failures, so I'm now conditionally returning false. I changed it from being inval to *1 so it now covers decimals too.