This is my first post, I hope I don't do anything wrong here
I want you to take a look at this class. I've written it this function in cooperation with a friend, but now we want you to take a look at it.
Here is the code: http://pastebin.com/m72ecf4dd
Description
The idea is to load the class as the first thing (or almost the first thing, at least before parsing any input ($_GET, $_POST, $_COOKIE etc.))
The class will automatically sanitize the input according to the first 3 characters of the key (i.e. the <input> name or the ?name= in URL)
Usage
With this class, the following code is SQL Safe:
Code: Select all
<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
mysql_query("SELECT * FROM articles WHERE id = $_GET[intArticleId]");
?>This means
The class will automatically sanitize the input, so it's impossible to make any sql injections as long as you remember to use the right prefix on the variable names.
Example
Code: Select all
<form action="/submit.php" method="get">
<input type="text" name="txtUsername" value="">
<input type="text" name="intAge" value="">
<input type="submit" value="Submit">
</form>Code: Select all
<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
// Example-query. This is injection-safe because the class is loaded above.
$username = $_POST['txtUsername'];
$age = $_POST['intAge'];
$query = "INSERT INTO users (username,age) VALUES('$username','$age')";
?>
Remember, the class is intended to run automaticly on the $_GET, $_POST etc., the following examples just show the capabilities of the class as a sanitizer on other variables
Code: Select all
<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
$age = "bla bla 234 bla";
$age = $input->cleanInput($age,'int'); // $age = 234;
$mail = "my.fake@..mail.com.123";
$mail = $input->cleanInput($mail,'mai'); // $mail = false;
$string = "dsfg & this != test";
$string = $input->cleanInput($string,'tzt'); // $string = "dsfg this test";
?>Have you found any bugs in this class?
Do you have tips for improvement?
Feel free to use this class, please let us know what you think about it!