Skip to content

Instantly share code, notes, and snippets.

@mattpass

mattpass/PHPsec

Created June 22, 2012 07:00
Show Gist options
  • Save mattpass/2970878 to your computer and use it in GitHub Desktop.
Save mattpass/2970878 to your computer and use it in GitHub Desktop.
Download ZIP
PHP var security
Raw
PHPsec
Looking for functions to clean vars for different situations.
Can you improve on these, returning strings, urls and numbers:
function strClean($var) {
// returns converted entities where there are HTML entity equivalents
return htmlentities($var, ENT_QUOTES, "UTF-8");
}
function urlClean($var) {
// returns a-z A-Z 0-9 / - . _ chars only
return preg_replace('/[^a-zA-Z0-9\/\-\._]/si','',$var);
}
function numClean($var) {
// returns a number, whole or decimal or null
return is_numeric($var) ? floatval($var) : false;
}
@maettig
Copy link

maettig commented Jun 22, 2012

To clean an URL I would use parse_url() and work with the returned array. To clean a number I always use (int)$var; and (float)$var;. You can use intval($var); and floatval($var); if you want. Also there is an is_numeric() function so your code may look like this:

function numClean($var) {
    return is_numeric($var) ? floatval($var) : false;
}

@mattpass
Copy link
Author

@maettig Thanks. Used that as a better solution to my $var*1 === $var ? $var : false; effort. Will use look at parse_url to get the various elems and then sanitise the values as @jedisct1 suggested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment