Thorazine 10mg Online
  • 3rd July 2006 - By Vinu Thomas

    Cleaning up your inputs from $_POST, $GET and $_REQUEST is an important task if you’re looking at security of your PHP applications. You can prevent most kinds on Cross Site Scripting (XSS) attacks if you know how to clean up the user inputs. Here’s how to do it using an Input filtering class from PHP Classes. To get started, head over to the PHP Classes page for the Input Filter Class by Daniel Morris and download the class file.

    Once you get the class file, here’s how you can go about cleaning up your input variables.

    < ?php
    $before = $_REQUEST['before'];
    $myFilter = new InputFilter();
    $after = $myFilter->process($before);
    echo $after;
    ?>

    So if you pass the string “< script>alert(‘xss’);< /script> to the before in the code above, the input filter changes this to alert(‘xss’); after removing the script tags. All you have to do is to instantiate the InputFilter class with the following line:
    $myFilter = new InputFilter();

    and run your string to be processed using the process class:

    $after = $myFilter->process($before);

    You can also send entire arrays to be processed by the InputFilter class:

    $_POST = $myFilter->process($_POST);
    This class can also be used to remove specific HTML tags from your input string. Let’s say for example, you want to remove all the bold tags < b> and < strong> from your html string, all you need to do is :

    < ?php
    include 'class.inputfilter.php';
    $before = $_REQUEST['before'];
    $tags = array("b","strong");
    $myFilter = new InputFilter($tags, array(),1, 1);
    $after = $myFilter->process($before);
    echo $after;
    ?>

    If we pass the string “< strong> test< /strong> < em>hello world< /em>” the output of the script will be “test < em>hello world < /em>”

    If you’d like to retain only the < b> and < strong> tags in the above example, change line 4 to read

    $myFilter = new InputFilter($tags, array(),0, 1);

    This will change the output to < strong>test < /strong> hello world
    Let’s break up the constructor for the InputFilter class :

    InputFilter($tagsArray, $attrArray, $tagsMethod , $attrMethod);

    $tagsArray is an array of user defined tags
    $arrtArray is an array of user defined attributes
    $tagsMethod = 0 or 1 where 0 is used when only user defined tags should be allowed. 1 is used to strip the user defined tags.
    Similarly $attrMethod is used to retain user defined attributes is it’s set as 0 and to strip user defined attributes if set to 1.

    Let’s see the attribute filtering provided by this class in action. Let’s take the following html string as an example:

    < img xsrc="test.jpg" mce_src="test.jpg" target="_blank" onclick="dosomething();" onmouseover="dosomethingelse();">

    Let’s make an filter to just retain the src and target attributes in the html above

    $tags = array("img","b");
    $attr = array("src","target");
    $myFilter = new InputFilter($tags, $attr,0, 0);
    $after = $myFilter->process($before);

    It’s as simple as that.

  • 23 Comments to “Cleaning up your inputs”

    • stefan on July 3, 2006

      I would like to recommend also looking into the Zend_Filter_Input class of the Zend Framework: http://framework.zend.com/manual/en/zend.filter.input.html

      Very useful, very solid code, from THE person that focusses on secure PHP programming.

    • stefan on July 3, 2006

      I would like to recommend also looking into the Zend_Filter_Input class of the Zend Framework: http://framework.zend.com/manual/en/zend.filter.input.html

      Very useful, very solid code, from THE person that focusses on secure PHP programming.

    • vinuthomas on July 4, 2006

      Thanks for the headsup Stefan. I may write up a second part of this article which deals with how to use the Zend_Filter_Input class.

    • vinu on July 4, 2006

      Thanks for the headsup Stefan. I may write up a second part of this article which deals with how to use the Zend_Filter_Input class.

    • Dave on July 4, 2006

      Don’t forget the event handlers.
      Maybe you would do something like:

      Search again:

      What do you think happens if the user_input is:
      myvalue” onclick=”javascript:alert(‘xss’)>

      Didn’t check if there’s anything the Input Filter Class does with those strings.

      Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xss

      It’s worth looking… ;)

    • Dave on July 4, 2006

      Don’t forget the event handlers.
      Maybe you would do something like:

      Search again:

      What do you think happens if the user_input is:
      myvalue” onclick=”javascript:alert(‘xss’)>

      Didn’t check if there’s anything the Input Filter Class does with those strings.

      Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xss

      It’s worth looking… ;)

    • Dave on July 4, 2006

      Sry, my tags where stripped ;)
      Here the same again:

      Don’t forget the event handlers.
      Maybe you would do something like:

      Search again:

      What do you think happens if the user_input is:
      myvalue” onclick=”javascript:alert(’xss’)>

      It becomes:

      Didn’t check if there’s anything the Input Filter Class does with those strings.

      Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xss

      It’s worth looking… ;)

    • Dave on July 4, 2006

      Sry, my tags where stripped ;)
      Here the same again:

      Don’t forget the event handlers.
      Maybe you would do something like:

      Search again:

      What do you think happens if the user_input is:
      myvalue? onclick=?javascript:alert(’xss’)>

      It becomes:

      Didn’t check if there’s anything the Input Filter Class does with those strings.

      Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xss

      It’s worth looking… ;)

    • vinuthomas on July 5, 2006

      Hey Dave,
      The XSS workshop you’ve setup is real cool !

    • vinu on July 5, 2006

      Hey Dave,
      The XSS workshop you’ve setup is real cool !

    • [...] (more…)   [...]

    • maqs on July 22, 2006

      Wow! thats wat i can say…… waiting for second part of it…..

      Cheers!

    • maqs on July 22, 2006

      Wow! thats wat i can say…… waiting for second part of it…..

      Cheers!

    • mk on September 19, 2006

      Wouldn’t the strip_tags function have a very similar effect, except for the fact that you can only strip either all tags or leave in specified ones? IMO strip_tags could be a little better since it is a good idea to remove all tags anyway except for the ones you really, really need.

      http://us3.php.net/manual/en/function.strip-tags.php

    • mk on September 19, 2006

      Wouldn’t the strip_tags function have a very similar effect, except for the fact that you can only strip either all tags or leave in specified ones? IMO strip_tags could be a little better since it is a good idea to remove all tags anyway except for the ones you really, really need.

      http://us3.php.net/manual/en/function.strip-tags.php

    • Gustav on March 8, 2007

      Interesting and useful article. :)
      At the moment I’m on the mission to find me a very good (if not the best) input cleaner.
      phpclasses.org’s “PHP Input Filter” class is not perfect, it haves some flaws and is outdated. Check this article: http://devzone.zend.com/node/view/id/1752 . Especially read the comments.

    • Gustav on March 8, 2007

      Interesting and useful article. :)
      At the moment I’m on the mission to find me a very good (if not the best) input cleaner.
      phpclasses.org’s “PHP Input Filter” class is not perfect, it haves some flaws and is outdated. Check this article: http://devzone.zend.com/node/view/id/1752 . Especially read the comments.

    • vinuthomas on March 9, 2007

      Yep. I now use Zend_Filter. I’d written this before I discovered Zend Framework :)

    • vinu on March 9, 2007

      Yep. I now use Zend_Filter. I’d written this before I discovered Zend Framework :)

    • Aship De on February 2, 2008

      Try htmLawed. Besides filtering admin-specified HTML tags, attributes, etc., it can also balance and properly nest HTML tags, transform deprecated tags and attributes, and so on.

    • Aship De on February 3, 2008

      Try htmLawed. Besides filtering admin-specified HTML tags, attributes, etc., it can also balance and properly nest HTML tags, transform deprecated tags and attributes, and so on.

    • Shindepy on August 11, 2010

      That's great work. IT help me lot.

      Thanks and keep your good work going on. :)

    • Versie Orlander on May 18, 2011

      Great info thanks! What language is close to php as far as functionality and ease of use?

    Leave a Reply