small php user input cleaner

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kusal
Forum Newbie
Posts: 14
Joined: Mon Oct 22, 2007 12:12 pm

small php user input cleaner

Post by kusal »

Code: Select all

function clear_str_values($contaminated_var)
{
 
    $contaminated_var = str_replace("'", '', $contaminated_var);
    
    $contaminated_var = stripcslashes(strip_tags(trim($contaminated_var)));
    $contaminated_var = str_replace("$", '', $contaminated_var);
    $contaminated_var = str_replace(";", '', $contaminated_var);
    $contaminated_var = str_replace(":", '', $contaminated_var);
    $contaminated_var = str_replace("/", '', $contaminated_var);
    
    return $contaminated_var;
}
I wrote this small function to be include in my all php files to clean user input,
I needed it to be simple, is this enough or did I miss something important.
will this function slow down my script very badly?

Thank you
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: small php user input cleaner

Post by Benjamin »

Well it really depends on what your protecting against. There really isn't a one size fits all approach.

Here are a few things to know:

1. str_replace can accept arrays for the first two parameters. So you can put all the nasty characters into an array like this

Code: Select all

 
$nasty = array('\'', '$'); # etc
$clean = str_replace($nasty, '', $dirty);
 
2. mysql_real_escape_string() strip_tags() html_entities()
3. HTMLPurifier
kusal
Forum Newbie
Posts: 14
Joined: Mon Oct 22, 2007 12:12 pm

Re: small php user input cleaner

Post by kusal »

Hey Thanks for the advice,
Good Luck on your work
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: small php user input cleaner

Post by Mordred »

Completely useless (sorry for the harsh words, but security is a harsh field).

Every function that accepts input has its own way to make sure the input will not break it. You can't make a single function that works in all those cases (think of it, if it were possible, it would be built-in in PHP and automatically called!)
Post Reply