Page 1 of 1

Injection-safe code again, using this class

Posted: Sun Nov 08, 2009 8:27 pm
by martind
Hi all

This is my first post, I hope I don't do anything wrong here :)

I want you to take a look at this class. I've written it this function in cooperation with a friend, but now we want you to take a look at it.
Here is the code: http://pastebin.com/m72ecf4dd

Description
The idea is to load the class as the first thing (or almost the first thing, at least before parsing any input ($_GET, $_POST, $_COOKIE etc.))
The class will automatically sanitize the input according to the first 3 characters of the key (i.e. the <input> name or the ?name= in URL)

Usage
With this class, the following code is SQL Safe:

Code: Select all

<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
 
mysql_query("SELECT * FROM articles WHERE id = $_GET[intArticleId]");
?>
Because the value of $_GET['intArticleId'] is parsed by the class, the value can only be numbers.

This means
The class will automatically sanitize the input, so it's impossible to make any sql injections as long as you remember to use the right prefix on the variable names.

Example

Code: Select all

 
<form action="/submit.php" method="get">
    <input type="text" name="txtUsername" value="">
    <input type="text" name="intAge" value="">
 
    <input type="submit" value="Submit">
</form>
submit.php code:

Code: Select all

 
<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
 
// Example-query. This is injection-safe because the class is loaded above.
$username = $_POST['txtUsername'];
$age = $_POST['intAge'];
$query = "INSERT INTO users (username,age) VALUES('$username','$age')";
?>
 
More examples
Remember, the class is intended to run automaticly on the $_GET, $_POST etc., the following examples just show the capabilities of the class as a sanitizer on other variables

Code: Select all

<?php
include('path/to/class.php');
$input = New CleanGlobals(); // the $input can be used to access the public function cleanInput for any variable or string
 
$age = "bla bla 234 bla";
$age = $input->cleanInput($age,'int'); // $age = 234;
 
$mail = "my.fake@..mail.com.123";
$mail = $input->cleanInput($mail,'mai'); // $mail = false;
 
$string = "dsfg & this != test";
$string = $input->cleanInput($string,'tzt'); // $string = "dsfg  this  test";
?>
What do you think about this way of securing webapplications?
Have you found any bugs in this class?
Do you have tips for improvement?

Feel free to use this class, please let us know what you think about it!

Re: Injection-safe code again, using this class

Posted: Sun Dec 20, 2009 8:06 am
by josh
Your link 404s, plus from the sounds of it this is something most developers would never use. Why? It has the same issues as magic quotes and all those other failed ideas.