Zend Certified Engineer

phpguru.org

Free PHP, Javascript and C# code
Home ~ Downloads ~ FAQs ~ Search ~ Licensing ~ Forums

Blog Categories

[Index] [Popular]

Me

Recent comments

Articles

PHP5

PHP4

Javascript

C#

Cleaning input data


17th March 2005, 1032 views

If you don't read the phpsec list, then you wouldn't have seen the post from a Jared Williams (iirc) regarding using SPL, and specifically ArrayAccess. It basically was asking opinions on a set of classes for cleaning the "tainted" GET/POST/COOKIE arrays.

Personally, I think this is over engineering for this particular issue, and not only that, but it has the potential to hamper your applications performance. There are a number of easy ways to untaint your data, and here's a few:

<?php
    /**
    * PHP5
    */
    function array_clean(&$value)
    {
        if (ini_get('magic_quotes_gpc')) {
            $value = stripslashes($value);
        }

        // Optionally more sanitisation...
    }

    array_walk_recursive($_GET, 'array_clean');
    array_walk_recursive($_POST, 'array_clean');
    array_walk_recursive($_COOKIE, 'array_clean');
?>

<?php
    /**
    * PHP4
    */
    function array_clean(&$value)
    {
        if (is_array($value)) {
            array_walk($value, 'array_clean');
            return;
        }

        if (ini_get('magic_quotes_gpc')) {
            $value = stripslashes($value);
        }

        // Optionally more sanitisation...
    }
    
    array_walk($_GET, 'array_clean');
    array_walk($_POST, 'array_clean');
    array_walk($_COOKIE, 'array_clean');
?>

Unfortunately, you can't do this with PHP5:

<?php
    array_walk_recursive($_GET, 'stripslashes');
?>

This is due to the stripslashes() function only accepting one argument at most, and array_walk_recursive() passes the key of the array along with the value. Bummer.

Note: If all you're doing is stripping slashes resulting from magic_quotes_gpc, then you should move the if condition outside of the array_clean() function to prevent unnecessary array traversal when the option is turned off. ie:

<?php
    // PHP5
    function array_clean(&$value)
    {
        $value = stripslashes($value);
    }

    if (ini_get('magic_quotes_gpc')) {
        array_walk_recursive($_GET, 'array_clean');
        array_walk_recursive($_POST, 'array_clean');
        array_walk_recursive($_COOKIE, 'array_clean');
    }
?>

Top 10 referrering pages

  1. http://www.google.com/search?q=php+clean+input&ie... (4 referrals)
  2. http://www.google.co.in/search?client=firefox-a&r... (2 referrals)
  3. http://www.google.com/search?q=cleaning+input+for... (2 referrals)
  4. http://www.google.com.au/search?q=php+clean+input... (2 referrals)
  5. http://www.google.co.in/search?hl=en&client=firef... (2 referrals)
  6. http://www.dynamic-webpages.de/tutorial/5/daten-v... (2 referrals)
  7. http://www.google.com/search?q=ini_get%28%27magic... (2 referrals)
  8. http://www.google.com/search?hl=en&q=ini_get%28%2... (2 referrals)
  9. http://www.google.co.uk/search?q=php+clean+input&... (2 referrals)
  10. http://www.google.co.in/search?q=ini_get+magic_qu... (2 referrals)
- +
Rate this article

Link to me

If you use any of the code on this site (and if you don't I guess) or it makes your life easier, I'd appreciate a link - http://www.phpguru.org. Thanks!

RSS Feed for Comments

Comments

Author: Ren
Posted: 17th March 2005 20:52
Hmm, I'm not sure there is a real performance issue.

Retrieving a value from an array incurs an extra bit of work (milliseconds probably), but I don't expect that to significantly impact anything, unless doing several hundred thousand accesses to $_GET[]. Which I think is abit unlikely.

Jared

PS. The classes also enforce validation of the GPC arrays, and not just handle magic_quotes.
Quote
Author: Pure-PHP
Posted: 17th March 2005 22:27
I think also, it just an extra bit of work, you dont need always stripslashes.

A "java-like" aproach would be much better.

Some this like this

$get->getString("name");

$get->getInt("id");

more infos http://www.pure-php.de/node/18
Quote
Author: Marc Worrell
Posted: 14th May 2006 16:14
I agree with Ren, the extra work involved in accessing the 'wrapped' super globals is no at lot, especially when compared with any database query.

We, at Mediamatic, have our own wrapper in use. And we are happy that we have it.

You might want to take a look at:

http://www.marcworrell.com/article-101-en.html
Quote
Author: sasa
Posted: 16th June 2006 02:57
that's nice! that's nice! that's nice! that's nice! that's nice! that's nice! that's nice! that's nice!
Quote
Author: gsasa
Posted: 16th June 2006 02:57
<b>that's nice<i>testing</i><b>that's nice<i>testing</i><b>that's nice<i>testing</i><b>that's nice<i>testing</i><b>that's nice<i>testing</i><b>that's nice<i>testing</i><b>that's nice<i>testing</i>
Quote

Post Comment

Your name:
Your email:
(Don't worry, I won't spam you. Also, if you do put your email address in here, you'll get notified of new comments. If you don't, you won't.)
Comments:
  Do not post support type questions please
 
CAPTCHA image If you can't read the CAPTCHA then press the submit button to get another. Your comment will re-appear (as if by magic...).
Captcha image
Home ~ Downloads ~ FAQs ~ Search ~ Licensing ~ Forums
© 2005-2008 Copyright Richard Heyes