Page 1 of 1

Check Input Function

Posted: Thu Oct 11, 2007 11:25 am
by jstorm13
Hello:

My site has many places where users input data through form fields. I am trying to make a PHP check input fuction
that will properly edit the data string and return the proper value or return an error.

I have this for the password check already, I only allow alpha numeric:

Code: Select all

if (!ereg ('[0-9A-Za-z]', $newpass1)) { dump('passbadchar'); } else {  IT IS GOOD
If the user submits a blog description i would like to pull out all harmful code they might embed, such as
java, php, html, etc. I am storing this in a mysql field.

My function works like,

Code: Select all

$result = $checkinput($string, $type);

where i got string from,

Code: Select all

$string = $_POST['whatever']
and the type is going to be either for a password, email, or general text.

I have the code already for password and for email, but the code for pulling out the embedded code is what
I am having some problems with. Someone also suggested that maybe I should allow html but no other type
of code, but I think that might be even harder to code.

Thanks in advance for any suggestions. my php is not so strong so I am glad I found this site, with a lot of
very skilled ninja coders here.

Jason

Posted: Thu Oct 11, 2007 11:35 am
by John Cartwright
A couple things you should probably note

1. ereg is a deprecated function, instead you should be using preg_match() for regex. You'll have to change your function slightly to #^[0-9A-Za-z]+$# to get the desired effect. When validating simple string rules, you can use the ctype_alpha(), ctypa_alnum(), etc. anyways

2. It is generally not a very good idea to allow html at all, case and point look at myspace user profiles.

3. If you want to allow certain things that a user can control, like bold text, embedded videos, etc., much like this forum has then you should consider using a bbcode system. A simple google will reveal what this is if you are not familiar with bbcode.

Posted: Thu Oct 11, 2007 12:02 pm
by EricS
Validating input for things such as password, email address, zip codes, etc... Is pretty straight forward. You have a decent start on that path.

But I think your on the wrong path for the blog description checking. Whether you realize it or not, the only way to write a checker that looks for all possible exploits is to know every possible exploit yourself and write code that looks for all them. I've been doing this stuff for 10 years and I know a lot about exploits. But even I'm not foolish enough to believe I'm smarter than all the would be hackers out there.

It's better to take a "whitelist" approach rather than the "blacklist" approach you are taking. By that I mean. It would be easier and safer for you look for things you KNOW are okay and simply convert anything else to html entities which render them harmless. This is not a simple task either, but MUCH more achievable than attempting to build a "blacklist" algorithm.

Posted: Tue Oct 16, 2007 1:41 pm
by jstorm13
Some good sound advice guys, thanks....


Jason