Possible Duplicate:
PHP: the ultimate clean/secure function
I revised my site's security filters today. I used to filter input and do nothing with the output.
Here it is:
All user inputted variables go through these 2 functions depending on the type:
PS: Since I didn't start coding from scratch I did it for all variables, including the ones that aren't aren't used in queries. I understand that this is a performance killer and will be undoing that. Better safe than sorry right?
// numbers (I expect very large numbers)
function intfix($i)
{
$i = preg_replace('/[^\d]/', '', $i);
if (!strlen($i))
$i = 0;
return $i;
}
// escape non-numbers
function textfix($value) {
$value = mysql_real_escape_string($value);
return $value;
}
XSS preventing:
Input - filters user submitted text, like posts and messages. As you see it's currently empty. Not sure if strip_tags is needed.
Output - on all html outputs
function input($input){
//$input = strip_tags($input, "");
return $input;
}
function output($bbcode){
$bbcode = textWrap($bbcode); // textwrap breaks long words
$bbcode = htmlentities($bbcode,ENT_QUOTES,"UTF-8");
$bbcode = str_replace("\n", "<br />", $bbcode);
// then some bbcode (removed) and the img tag
$urlmatch = "([a-zA-Z]+[:\/\/]+[A-Za-z0-9\-_]+\\.+[A-Za-z0-9\.\/%&=\?\-_]+)";
$match["img"] = "/\[img\]".$urlmatch."\[\/img\]/is";
$replace["img"] = "<center><img src=\"$1\" class=\"max\" /></center>";
return $bbcode;
}
I included the img tag because it could be vulnerable to css...
What do you think? Anything obviously wrong? Good enough?
