Cleaning up your inputs

Written on July 3, 2006 | by vinu |

Cleaning up your inputs from $_POST, $GET and $_REQUEST is an important task if you’re looking at security of your PHP applications. You can prevent most kinds on Cross Site Scripting (XSS) attacks if you know how to clean up the user inputs. Here’s how to do it using an Input filtering class from PHP Classes. To get started, head over to the PHP Classes page for the Input Filter Class by Daniel Morris and download the class file.

Once you get the class file, here’s how you can go about cleaning up your input variables.

< ?php $before = $_REQUEST['before']; $myFilter = new InputFilter(); $after = $myFilter->process($before); echo $after; ?>

So if you pass the string “< script>alert(’xss’);< /script> to the before in the code above, the input filter changes this to alert(’xss’); after removing the script tags. All you have to do is to instantiate the InputFilter class with the following line:
$myFilter = new InputFilter();

and run your string to be processed using the process class:

$after = $myFilter->process($before);

You can also send entire arrays to be processed by the InputFilter class:

$_POST = $myFilter->process($_POST);
This class can also be used to remove specific HTML tags from your input string. Let’s say for example, you want to remove all the bold tags and from your html string, all you need to do is :

< ?php include 'class.inputfilter.php'; $before = $_REQUEST['before']; $tags = array("b","strong"); $myFilter = new InputFilter($tags, array(),1, 1); $after = $myFilter->process($before); echo $after; ?>

If we pass the string “ test hello world” the output of the script will be “test hello world ”

If you’d like to retain only the and tags in the above example, change line 4 to read

$myFilter = new InputFilter($tags, array(),0, 1);

This will change the output to test hello world
Let’s break up the constructor for the InputFilter class :

InputFilter($tagsArray, $attrArray, $tagsMethod , $attrMethod);

$tagsArray is an array of user defined tags
$arrtArray is an array of user defined attributes
$tagsMethod = 0 or 1 where 0 is used when only user defined tags should be allowed. 1 is used to strip the user defined tags.
Similarly $attrMethod is used to retain user defined attributes is it’s set as 0 and to strip user defined attributes if set to 1.

Let’s see the attribute filtering provided by this class in action. Let’s take the following html string as an example:

< img xsrc="test.jpg" mce_src="test.jpg" target="_blank" onclick="dosomething();" onmouseover="dosomethingelse();">

Let’s make an filter to just retain the src and target attributes in the html above

$tags = array("img","b"); $attr = array("src","target"); $myFilter = new InputFilter($tags, $attr,0, 0); $after = $myFilter->process($before);

It’s as simple as that.

Bookmark and share: These icons link to social bookmarking sites where readers can share and discover new web pages.

11 Responses to “Cleaning up your inputs”
By stefan on Jul 3, 2006 | Reply

I would like to recommend also looking into the Zend_Filter_Input class of the Zend Framework: http://framework.zend.com/manual/en/zend.filter.input.htmlVery useful, very solid code, from THE person that focusses on secure PHP programming.
By vinu on Jul 4, 2006 | Reply

Thanks for the headsup Stefan. I may write up a second part of this article which deals with how to use the Zend_Filter_Input class.
By Dave on Jul 4, 2006 | Reply

Don’t forget the event handlers.Maybe you would do something like:Search again: What do you think happens if the user_input is:myvalue” onclick=”javascript:alert(’xss’)>Didn’t check if there’s anything the Input Filter Class does with those strings.Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xssIt’s worth looking…
By Dave on Jul 4, 2006 | Reply

Sry, my tags where stripped ;)Here the same again:Don’t forget the event handlers.Maybe you would do something like:Search again:What do you think happens if the user_input is:myvalue” onclick=”javascript:alert(’xss’)>It becomes:Didn’t check if there’s anything the Input Filter Class does with those strings.Additionally, I finished a small XSS-Workshop today: http://www.blogged-on.de/xssIt’s worth looking…
By vinu on Jul 5, 2006 | Reply

Hey Dave,The XSS workshop you’ve setup is real cool !
By maqs on Jul 22, 2006 | Reply

Wow! thats wat i can say…… waiting for second part of it…..

Cheers!
By mk on Sep 19, 2006 | Reply

Wouldn’t the strip_tags function have a very similar effect, except for the fact that you can only strip either all tags or leave in specified ones? IMO strip_tags could be a little better since it is a good idea to remove all tags anyway except for the ones you really, really need.http://us3.php.net/manual/en/function.strip-tags.php
By Gustav on Mar 8, 2007 | Reply

Interesting and useful article. At the moment I’m on the mission to find me a very good (if not the best) input cleaner.
phpclasses.org’s “PHP Input Filter” class is not perfect, it haves some flaws and is outdated. Check this article: http://devzone.zend.com/node/view/id/1752 . Especially read the comments.
By vinu on Mar 9, 2007 | Reply

Yep. I now use Zend_Filter. I’d written this before I discovered Zend Framework
By Aship De on Feb 3, 2008 | Reply

Try htmLawed. Besides filtering admin-specified HTML tags, attributes, etc., it can also balance and properly nest HTML tags, transform deprecated tags and attributes, and so on.