Injection-safe code again, using this class

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

Post Reply
martind
Forum Newbie
Posts: 3
Joined: Sun Nov 08, 2009 7:45 pm

Injection-safe code again, using this class

Post by martind »

Hi all

This is my first post, I hope I don't do anything wrong here :)

I want you to take a look at this class. I've written it this function in cooperation with a friend, but now we want you to take a look at it.
Here is the code: http://pastebin.com/m72ecf4dd

Description
The idea is to load the class as the first thing (or almost the first thing, at least before parsing any input ($_GET, $_POST, $_COOKIE etc.))
The class will automatically sanitize the input according to the first 3 characters of the key (i.e. the <input> name or the ?name= in URL)

Usage
With this class, the following code is SQL Safe:

Code: Select all

<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
 
mysql_query("SELECT * FROM articles WHERE id = $_GET[intArticleId]");
?>
Because the value of $_GET['intArticleId'] is parsed by the class, the value can only be numbers.

This means
The class will automatically sanitize the input, so it's impossible to make any sql injections as long as you remember to use the right prefix on the variable names.

Example

Code: Select all

 
<form action="/submit.php" method="get">
    <input type="text" name="txtUsername" value="">
    <input type="text" name="intAge" value="">
 
    <input type="submit" value="Submit">
</form>
submit.php code:

Code: Select all

 
<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
 
// Example-query. This is injection-safe because the class is loaded above.
$username = $_POST['txtUsername'];
$age = $_POST['intAge'];
$query = "INSERT INTO users (username,age) VALUES('$username','$age')";
?>
 
More examples
Remember, the class is intended to run automaticly on the $_GET, $_POST etc., the following examples just show the capabilities of the class as a sanitizer on other variables

Code: Select all

<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
 
$age = "bla bla 234 bla";
$age = $input->cleanInput($age,'int'); // $age = 234;
 
$mail = "my.fake@..mail.com.123";
$mail = $input->cleanInput($mail,'mai'); // $mail = false;
 
$string = "dsfg & this != test";
$string = $input->cleanInput($string,'tzt'); // $string = "dsfg  this  test";
?>
What do you think about this way of securing webapplications?
Have you found any bugs in this class?
Do you have tips for improvement?

Feel free to use this class, please let us know what you think about it!
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Injection-safe code again, using this class

Post by josh »

Your link 404s, plus from the sounds of it this is something most developers would never use. Why? It has the same issues as magic quotes and all those other failed ideas.
Post Reply