Page 1 of 1
small php user input cleaner
Posted: Wed Jun 11, 2008 11:48 pm
by kusal
Code: Select all
function clear_str_values($contaminated_var)
{
$contaminated_var = str_replace("'", '', $contaminated_var);
$contaminated_var = stripcslashes(strip_tags(trim($contaminated_var)));
$contaminated_var = str_replace("$", '', $contaminated_var);
$contaminated_var = str_replace(";", '', $contaminated_var);
$contaminated_var = str_replace(":", '', $contaminated_var);
$contaminated_var = str_replace("/", '', $contaminated_var);
return $contaminated_var;
}
I wrote this small function to be include in my all php files to clean user input,
I needed it to be simple, is this enough or did I miss something important.
will this function slow down my script very badly?
Thank you
Re: small php user input cleaner
Posted: Thu Jun 12, 2008 12:27 am
by Benjamin
Well it really depends on what your protecting against. There really isn't a one size fits all approach.
Here are a few things to know:
1. str_replace can accept arrays for the first two parameters. So you can put all the nasty characters into an array like this
Code: Select all
$nasty = array('\'', '$'); # etc
$clean = str_replace($nasty, '', $dirty);
2.
mysql_real_escape_string() strip_tags() html_entities()
3.
HTMLPurifier
Re: small php user input cleaner
Posted: Thu Jun 12, 2008 1:05 am
by kusal
Hey Thanks for the advice,
Good Luck on your work
Re: small php user input cleaner
Posted: Thu Jun 12, 2008 2:14 am
by Mordred
Completely useless (sorry for the harsh words, but security is a harsh field).
Every function that accepts input has its own way to make sure the input will not break it. You can't make a single function that works in all those cases (think of it, if it were possible, it would be built-in in PHP and automatically called!)