PHPonTrax
[ class tree: PHPonTrax ] [ index: PHPonTrax ] [ all elements ]
Prev Next
InputFilter

InputFilter

Protect Against Malicious SQL and HTML

Table of Contents

Introduction

InputFilter is a singleton class (although not enforced by the constructor) with three public methods that are useful in protecting a web site from potential security threats from user input.

  • InputFilter::safeSQL() protects SQL from the user.
  • InputFilter::process() protects HTML tags and attributes from the user.
  • InputFilter::process_all() applies process() to all possible sources of user input
  • safeSQL(): Protect SQL

    Web site security may be threatened by SQL injection if a user is allowed to input a query that is not properly screened. SQL statements are delimited by punctuation characters. In particular, the beginning and end of the information being stored or searched for are delimited by quotes. If a user is permitted to include unprotected quotes in their search, there is a danger that a malicious user might take advantage of this to inject unauthorized commands into the database.

    To protect against this attack, user information is examined for quotes and other characters that might be used in an attack, and every such character is escaped by prefixing the character with a backslash ('\'). The backslash tells the database to treat the following character as data, not a command.

    InputFilter::safeSQL() may be called as a static method to screen character strings for threatening characters and apply the protective backslashes. An open MySQL connection resource is needed to establish the appropriate character set. For example:

    $rs = mysql_connect('hostname', 'username', 'password');
    $unsafe = "search term'; drop database employees;";
    $protected = InputFilter::safeSQL($unsafe,$rs);
    // $protected contains "search term\'; drop database employees;"

    process(): Protect Against HTML Tags and Attributes

    InputFilter::process() eliminates potentially dangerous HTML tags and attributes from its input. There are internal lists of blacklisted tags and blacklisted attributes than can optionally be removed from the input. The constructor also accepts lists of forbidden tags and attributes and allows the listed names to be removed, or alternatively to be the only names accepted.

    To use this method, you must construct an object of the InputFilter class, with optional behavior specified in the constructor call. The options are stored as static attributes of the constructed object, so any reference to an object of the class will use the attributes in the most recent object. Therefore it makes code more readable to use static calls. For example:

    @new InputFilter();
    $output_string = InputFilter::process($input_string);

    The default constructor, as above, rejects all tags and attributes, returning only the text between tags. You can construct an object which rejects only the blacklisted tags and attributes as follows:

    @new InputFilter(array(),array(),1,1,1);

    You would probably be more secure if you listed what you know to be safe, instead of trying to think of everything that might be a threat:

    @new InputFilter(array('div','span','strong','em'),
                     array('id','class'),0,0,0);

    process_all(): Protect Against HTML in Request Variables

    InputFilter::process() eliminates potentially dangerous HTML tags and attributes from the predefined globals $_POST, $_GET and $_REQUEST. Call the method statically, as InputFilter::process_all() with the same arguments as used by the constructor. A new object will be constructed with these options and then InputFilter::process() will be called on each of $_GET, $_POST and $_REQUEST. The options in the call to process_all() are stored as static attributes of the new object, so they will be used on any calls to InputFilter::process() until another object is constructed.

    Prev   Next
    FormHelper ActionMailer

    Documentation generated on Thu, 04 May 2006 19:46:55 -0600 by phpDocumentor 1.3.0RC4