InputFilter
InputFilter
Protect Against Malicious SQL and HTML
Table of Contents
Introduction
InputFilter is a
singleton
class (although not enforced by the constructor) with three public
methods that are useful in protecting a web site from potential
security threats from user input.
InputFilter::safeSQL() protects SQL from the
user.
InputFilter::process() protects HTML tags and
attributes from the user.
InputFilter::process_all() applies
process() to all possible sources of user input
safeSQL(): Protect SQL
Web site security may be threatened by
SQL injection
if a user is allowed to input a query that is not properly screened.
SQL statements are delimited by punctuation characters. In
particular, the beginning and end of the information being stored or
searched for are delimited by quotes. If a user is permitted to
include unprotected quotes in their search, there is a danger that
a malicious user might take advantage of this to inject unauthorized
commands into the database.
To protect against this attack, user information is examined
for quotes and other characters that might be used in an attack, and
every such character is escaped by prefixing
the character with a backslash ('\'). The backslash tells the
database to treat the following character as data, not a
command.
InputFilter::safeSQL() may be called as a static
method to screen character strings for threatening characters and
apply the protective backslashes. An open MySQL connection resource
is needed to establish the appropriate character set. For
example:
$rs = mysql_connect('hostname', 'username', 'password');
$unsafe = "search term'; drop database employees;";
$protected = InputFilter::safeSQL($unsafe,$rs);
// $protected contains "search term\'; drop database employees;"
process(): Protect Against HTML Tags and Attributes
InputFilter::process() eliminates potentially
dangerous HTML tags and attributes from its input. There are
internal lists of
blacklisted tags and
blacklisted attributes than can
optionally be removed from the input. The constructor also accepts
lists of forbidden tags and attributes and allows the listed names
to be removed, or alternatively to be the only names
accepted.
To use this method, you must construct an object of the
InputFilter class, with optional behavior specified in the
constructor call. The options are stored as static attributes of the
constructed object, so any reference to an object of the class will
use the attributes in the most recent object. Therefore it makes
code more readable to use static calls. For example:
@new InputFilter();
$output_string = InputFilter::process($input_string);
The default constructor, as above, rejects all tags and
attributes, returning only the text between tags. You can construct
an object which rejects only the blacklisted tags and attributes as
follows:
@new InputFilter(array(),array(),1,1,1);
You would probably be more secure if you listed what you know
to be safe, instead of trying to think of everything that might
be a threat:
@new InputFilter(array('div','span','strong','em'),
array('id','class'),0,0,0);
process_all(): Protect Against HTML in Request Variables
InputFilter::process() eliminates potentially
dangerous HTML tags and attributes from the predefined globals
$_POST,
$_GET
and
$_REQUEST.
Call the method statically, as InputFilter::process_all() with the same
arguments as used by the constructor.
A new object will be constructed with these options and then
InputFilter::process() will be called on each of $_GET, $_POST and
$_REQUEST. The options in the call to process_all() are stored as
static attributes of the new object, so they will be used on any calls to
InputFilter::process() until another object is
constructed.