Filtering class

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

Post Reply
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Filtering class

Post by Technical »

Please have a look at my filtering functions. Feedback is very appreciated because of security reasons.

Code: Select all

<?php
class Filters
{
	static $Regex = array('\\' => '\\\\', '^' => '\^', '$' => '\$', '.' => '\.', '[' => '\[', ']' => '\]', '(' => '\(', ')' => '\)', '?' => '\?', '*' => '\*', '+' => '\+', '{' => '\{', '}' => '\}', '-' => '\-', '|' => '\|');
	private static function Filter($Type, $Input, $List = null, $Default = null)
	{
		$Output = null;
		if(is_array($Input))
		{
			foreach($Input as $Key => $Item)
			{
				$Output[$Key] = Filters::Filter($Type, $Input, $List, $Default);
			}
		} else {
			switch($Type)
			{
				case 1:
					$Output = strip_tags($Input);
					$Output = preg_replace('/(&)(amp|quot|lt|gt);/i', '&$2', htmlspecialchars($Output, ENT_COMPAT, 'UTF-8'));
					$Output = trim($Output);
					$Output = UTF8::substr($Output, 0, 4096);
				break;
				case 2:
					$Output = preg_replace('/[^a-z0-9\_\-]/i', '', Filters::Sql($Input));
				break;
				case 3:
					$Output = intval($Input);
				break;
				case 4:
					$Output = Filters::Strict($Input);
					if(is_array($List) && !in_array($Input, $List))
					{
						$Output = $Default;
					}
				break;
				case 5:
					$Output = preg_replace('/ALTER TABLE|ANALYZE|ATTACH DATABASE|BEGIN TRANSACTION|COMMIT TRANSACTION|CREATE INDEX|CREATE TABLE|CREATE TRIGGER|CREATE VIEW|CREATE VIRTUAL TABLE|DELETE|DETACH DATABASE|DROP INDEX|DROP TABLE|DROP TRIGGER|DROP VIEW|END TRANSACTION|EXPLAIN|INSERT|ON CONFLICT|PRAGMA|REINDEX|REPLACE|ROLLBACK TRANSACTION|SELECT|UPDATE|VACUUM|--|;/i', '', $Input);
				break;
				case 6:
					$Output = preg_replace('/[\\\\<>"\*:]/i', '', $Input);
				break;
				case 7:
					$Output = preg_replace('/[^\:\;\!\#\$\%\&\'\*\+\-\/\=\?\^\_\`\{\|\}\~\@\.\[\]|\w+]/i', '', $Input);
				break;
				case 8:
					$Output = preg_replace('/^[-0-9A-Z_\.]{1,50}@([-0-9A-Z_\.]+\.){1,50}([0-9A-Z]){2,4}$/i', '', $Input);
				break;
				case 9:
					$Output = str_replace(array_keys(Filters::$Regex), array_values(Filters::$Regex), $Input);
				break;
			}
		}
		return $Output;
	}
	static function Basic($Input)
	{
		return Filters::Filter(1, $Input);
	}
	static function Strict($Input)
	{
		return Filters::Filter(2, $Input);
	}
	static function Numeric($Input)
	{
		return Filters::Filter(3, $Input);
	}
	static function Range($Input, $List, $Default = null)
	{
		return Filters::Filter(4, $Input, $List, $Default);
	}
	static function Sql($Input)
	{
		return Filters::Filter(5, $Input);
	}
	static function Path($Input)
	{
		return Filters::Filter(6, $Input);
	}
	static function Url($Input)
	{
		return Filters::Filter(7, $Input);
	}
	static function Mail($Input)
	{
		return Filters::Filter(8, $Input);
	}
	static function Regex($Input)
	{
		return Filters::Filter(9, $Input);
	}
}
?>
Last edited by Technical on Wed Dec 29, 2010 2:26 am, edited 1 time in total.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Filtering class

Post by josh »

None of these can protect against CSRF, file upload exploits etc. There's no magic bullet to security (such as having a super awesome filter), so there's not much to say security wise
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Filtering class

Post by Christopher »

I would chuck one of your grenades into that code. Super-static-itis is the word that comes to mind. I stopped at the magic numbers 1..9 as the first parameter. Yikes. Just make a bunch of well named functions and be done with it ... or use the filter extension.
(#10850)
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Filtering class

Post by Technical »

Christopher wrote:I would chuck one of your grenades into that code. Super-static-itis is the word that comes to mind. I stopped at the magic numbers 1..9 as the first parameter. Yikes. Just make a bunch of well named functions and be done with it ... or use the filter extension.
Well, isn't good to group functions into static classes?
By the way, you don't need to worry about 1-9, you just use it like

Code: Select all

<?php
$Mail = Filters::Mail($Input); // for e-mail
$Basic = Filters::Basic($Input) // basic filtration
$Strict = Filters::Strict($Input) // strict filtration, only letters, -,_ and digits allowed
?>
Last edited by Technical on Wed Dec 29, 2010 2:39 am, edited 1 time in total.
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Filtering class

Post by Technical »

josh wrote:None of these can protect against CSRF, file upload exploits etc. There's no magic bullet to security (such as having a super awesome filter), so there's not much to say security wise
Sure, but I think protection from CSRF is more engineering task than filtering, right?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Filtering class

Post by Mordred »

Apart from the "it sucks" part, it's also buggy. It would also prevent me posting about VACUUM, wtf?! You hate astronomy so much? :)
Of course, if I really wanted, I could post about VACUVACUUMUM, that would do the trick.

I'm afraid this code betrays a nonunderstanding of what "filtering" should do at a quite basic level. You happily damage the data without actually doing anything useful security-wise. For most of these there are perfectly well working functions, no need to reinvent the wheel.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Filtering class

Post by Eran »

Well, isn't good to group functions into static classes?
No. That's a basic misunderstanding of what a class is (hint: it's not a namespace for functions)
Post Reply