Page 1 of 1

small php user input cleaner

Posted: Wed Jun 11, 2008 11:48 pm
by kusal

Code: Select all

function clear_str_values($contaminated_var)
{
 
    $contaminated_var = str_replace("'", '', $contaminated_var);
    
    $contaminated_var = stripcslashes(strip_tags(trim($contaminated_var)));
    $contaminated_var = str_replace("$", '', $contaminated_var);
    $contaminated_var = str_replace(";", '', $contaminated_var);
    $contaminated_var = str_replace(":", '', $contaminated_var);
    $contaminated_var = str_replace("/", '', $contaminated_var);
    
    return $contaminated_var;
}
I wrote this small function to be include in my all php files to clean user input,
I needed it to be simple, is this enough or did I miss something important.
will this function slow down my script very badly?

Thank you

Re: small php user input cleaner

Posted: Thu Jun 12, 2008 12:27 am
by Benjamin
Well it really depends on what your protecting against. There really isn't a one size fits all approach.

Here are a few things to know:

1. str_replace can accept arrays for the first two parameters. So you can put all the nasty characters into an array like this

Code: Select all

 
$nasty = array('\'', '$'); # etc
$clean = str_replace($nasty, '', $dirty);
 
2. mysql_real_escape_string() strip_tags() html_entities()
3. HTMLPurifier

Re: small php user input cleaner

Posted: Thu Jun 12, 2008 1:05 am
by kusal
Hey Thanks for the advice,
Good Luck on your work

Re: small php user input cleaner

Posted: Thu Jun 12, 2008 2:14 am
by Mordred
Completely useless (sorry for the harsh words, but security is a harsh field).

Every function that accepts input has its own way to make sure the input will not break it. You can't make a single function that works in all those cases (think of it, if it were possible, it would be built-in in PHP and automatically called!)