Page 1 of 1

Filtering class

Posted: Tue Dec 28, 2010 2:29 pm
by Technical
Please have a look at my filtering functions. Feedback is very appreciated because of security reasons.

Code: Select all

<?php
class Filters
{
	static $Regex = array('\\' => '\\\\', '^' => '\^', '$' => '\$', '.' => '\.', '[' => '\[', ']' => '\]', '(' => '\(', ')' => '\)', '?' => '\?', '*' => '\*', '+' => '\+', '{' => '\{', '}' => '\}', '-' => '\-', '|' => '\|');
	private static function Filter($Type, $Input, $List = null, $Default = null)
	{
		$Output = null;
		if(is_array($Input))
		{
			foreach($Input as $Key => $Item)
			{
				$Output[$Key] = Filters::Filter($Type, $Input, $List, $Default);
			}
		} else {
			switch($Type)
			{
				case 1:
					$Output = strip_tags($Input);
					$Output = preg_replace('/(&)(amp|quot|lt|gt);/i', '&$2', htmlspecialchars($Output, ENT_COMPAT, 'UTF-8'));
					$Output = trim($Output);
					$Output = UTF8::substr($Output, 0, 4096);
				break;
				case 2:
					$Output = preg_replace('/[^a-z0-9\_\-]/i', '', Filters::Sql($Input));
				break;
				case 3:
					$Output = intval($Input);
				break;
				case 4:
					$Output = Filters::Strict($Input);
					if(is_array($List) && !in_array($Input, $List))
					{
						$Output = $Default;
					}
				break;
				case 5:
					$Output = preg_replace('/ALTER TABLE|ANALYZE|ATTACH DATABASE|BEGIN TRANSACTION|COMMIT TRANSACTION|CREATE INDEX|CREATE TABLE|CREATE TRIGGER|CREATE VIEW|CREATE VIRTUAL TABLE|DELETE|DETACH DATABASE|DROP INDEX|DROP TABLE|DROP TRIGGER|DROP VIEW|END TRANSACTION|EXPLAIN|INSERT|ON CONFLICT|PRAGMA|REINDEX|REPLACE|ROLLBACK TRANSACTION|SELECT|UPDATE|VACUUM|--|;/i', '', $Input);
				break;
				case 6:
					$Output = preg_replace('/[\\\\<>"\*:]/i', '', $Input);
				break;
				case 7:
					$Output = preg_replace('/[^\:\;\!\#\$\%\&\'\*\+\-\/\=\?\^\_\`\{\|\}\~\@\.\[\]|\w+]/i', '', $Input);
				break;
				case 8:
					$Output = preg_replace('/^[-0-9A-Z_\.]{1,50}@([-0-9A-Z_\.]+\.){1,50}([0-9A-Z]){2,4}$/i', '', $Input);
				break;
				case 9:
					$Output = str_replace(array_keys(Filters::$Regex), array_values(Filters::$Regex), $Input);
				break;
			}
		}
		return $Output;
	}
	static function Basic($Input)
	{
		return Filters::Filter(1, $Input);
	}
	static function Strict($Input)
	{
		return Filters::Filter(2, $Input);
	}
	static function Numeric($Input)
	{
		return Filters::Filter(3, $Input);
	}
	static function Range($Input, $List, $Default = null)
	{
		return Filters::Filter(4, $Input, $List, $Default);
	}
	static function Sql($Input)
	{
		return Filters::Filter(5, $Input);
	}
	static function Path($Input)
	{
		return Filters::Filter(6, $Input);
	}
	static function Url($Input)
	{
		return Filters::Filter(7, $Input);
	}
	static function Mail($Input)
	{
		return Filters::Filter(8, $Input);
	}
	static function Regex($Input)
	{
		return Filters::Filter(9, $Input);
	}
}
?>

Re: Filtering class

Posted: Tue Dec 28, 2010 11:52 pm
by josh
None of these can protect against CSRF, file upload exploits etc. There's no magic bullet to security (such as having a super awesome filter), so there's not much to say security wise

Re: Filtering class

Posted: Wed Dec 29, 2010 1:34 am
by Christopher
I would chuck one of your grenades into that code. Super-static-itis is the word that comes to mind. I stopped at the magic numbers 1..9 as the first parameter. Yikes. Just make a bunch of well named functions and be done with it ... or use the filter extension.

Re: Filtering class

Posted: Wed Dec 29, 2010 2:30 am
by Technical
Christopher wrote:I would chuck one of your grenades into that code. Super-static-itis is the word that comes to mind. I stopped at the magic numbers 1..9 as the first parameter. Yikes. Just make a bunch of well named functions and be done with it ... or use the filter extension.
Well, isn't good to group functions into static classes?
By the way, you don't need to worry about 1-9, you just use it like

Code: Select all

<?php
$Mail = Filters::Mail($Input); // for e-mail
$Basic = Filters::Basic($Input) // basic filtration
$Strict = Filters::Strict($Input) // strict filtration, only letters, -,_ and digits allowed
?>

Re: Filtering class

Posted: Wed Dec 29, 2010 2:34 am
by Technical
josh wrote:None of these can protect against CSRF, file upload exploits etc. There's no magic bullet to security (such as having a super awesome filter), so there's not much to say security wise
Sure, but I think protection from CSRF is more engineering task than filtering, right?

Re: Filtering class

Posted: Sat Feb 12, 2011 12:03 pm
by Mordred
Apart from the "it sucks" part, it's also buggy. It would also prevent me posting about VACUUM, wtf?! You hate astronomy so much? :)
Of course, if I really wanted, I could post about VACUVACUUMUM, that would do the trick.

I'm afraid this code betrays a nonunderstanding of what "filtering" should do at a quite basic level. You happily damage the data without actually doing anything useful security-wise. For most of these there are perfectly well working functions, no need to reinvent the wheel.

Re: Filtering class

Posted: Sat Feb 12, 2011 1:58 pm
by Eran
Well, isn't good to group functions into static classes?
No. That's a basic misunderstanding of what a class is (hint: it's not a namespace for functions)