PHPonTrax
[ class tree: PHPonTrax ] [ index: PHPonTrax ] [ all elements ]

Source for file input_filter.php

Documentation is available at input_filter.php

  1. <?php
  2. /**
  3. * File containing the InputFilter class
  4. *
  5. * (PHP 5)
  6. *
  7. * @package PHPonTrax
  8. * @version $Id$
  9. * @author Daniel Morris
  10. * contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider,
  11. * Chris Tobin and Andrew Eddie.
  12. * @copyright Daniel Morris <dan@rootcube.com>
  13. * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  14. */
  15.  
  16. /**
  17. * Filter user input to remove potential security threats
  18. *
  19. * InputFilter has three public methods that are useful in protecting
  20. * a web site from potential security threats from user input.
  21. * <ul>
  22. * <li>{@link safeSQL()} protects SQL from the user.</li>
  23. * <li>{@link process()} protects HTML tags and attributes from the
  24. * user.</li>
  25. * <li>{@link process_all()} applies {@link process()} to all
  26. * possible sources of user input</li>
  27. * </ul>
  28. * For usage instructions see
  29. * {@tutorial PHPonTrax/InputFilter.cls the class tutorial}.
  30. * @todo Check FIXMEs
  31. */
  32. class InputFilter {
  33. /**
  34. * User-provided list of tags to either accept or reject
  35. *
  36. * Whether the tags in this list are accepted or rejected is
  37. * determined by the value of {@link $tagsMethod}.
  38. * <b>FIXME:</b> static declaration must be after visibility declaration
  39. * @var string[]
  40. */
  41. static protected $tagsArray = array(); // default = empty array
  42. /**
  43. * User-provided list of attributes to either accept or reject
  44. *
  45. * Whether the attributes in this list are accepted or rejected is
  46. * determined by the value of {@link $attrMethod}.
  47. * <b>FIXME:</b> static declaration must be after visibility declaration
  48. * @var string[]
  49. */
  50. static protected $attrArray = array(); // default = empty array
  51. /**
  52. * How to apply user-provided tags list
  53. *
  54. * Which method to use when applying the list of tags provided by
  55. * the user and stored in {@link $tagsArray}.
  56. * @var boolean Tested by {@link filterTags()} to see whether the
  57. * user-provide list of tags in {@link $tagsArray}
  58. * describes those tags which are forbidden, or
  59. * those tags which are permitted. Default false.
  60. * <ul>
  61. * <li>true => Remove those tags which are in
  62. * {@link $tagsArray}.</li>
  63. * <li>false => Allow only those tags which are listed in
  64. * {@link $tagsArray}.</li>
  65. * </ul>
  66. * <b>FIXME:</b> static declaration must be after visibility declaration
  67. */
  68. static protected $tagsMethod = 0; // default = 0
  69. /**
  70. * How to apply user-provided attribute list
  71. *
  72. * Which method to use when applying the list of attributes
  73. * provided by the user and stored in {@link $attrArray}.
  74. * @var boolean Tested by {@link filterAttr()} to see whether the
  75. * user-provide list of tags in {@link $attrArray}
  76. * describes those tags which are forbidden, or
  77. * those tags which are permitted. Default false.
  78. * <ul>
  79. * <li>true => Remove those tags which are in
  80. * {@link $attrArray}.</li>
  81. * <li>false => Allow only those tags which are listed in
  82. * {@link $attrArray}.</li>
  83. * </ul>
  84. * <b>FIXME:</b> static declaration must be after visibility declaration
  85. */
  86. static protected $attrMethod = 0; // default = 0
  87.  
  88. /**
  89. * Whether to remove blacklisted tags and attributes
  90. *
  91. * @var boolean Tested by {@link filterAttr()} and
  92. * {@link filterTags()} to see whether to remove
  93. * blacklisted tags and attributes. Default true.
  94. * <ul>
  95. * <li>true => Remove tags in {@link $tagBlacklist} and
  96. * attributes in {@link $attrBlacklist}, in
  97. * addition to all other potentially suspect tags
  98. * and attributes.</li>
  99. * <li>false => Remove potentially suspect tags and attributes
  100. * without consulting{@link $tagBlacklist} or
  101. * {@link $attrBlacklist}.</li>
  102. * </ul>
  103. * <b>FIXME:</b> static declaration must be after visibility declaration
  104. */
  105. static protected $xssAuto = 1; // default = 1
  106. /**
  107. * List of tags to be removed
  108. *
  109. * If {@link $xssAuto} is true, remove the tags in this list.
  110. * @var string[]
  111. * <b>FIXME:</b> static declaration must be after visibility declaration
  112. */
  113. static protected $tagBlacklist =
  114. array('applet', 'body', 'bgsound', 'base', 'basefont', 'embed',
  115. 'frame', 'frameset', 'head', 'html', 'id', 'iframe',
  116. 'ilayer', 'layer', 'link', 'meta', 'name', 'object',
  117. 'script', 'style', 'title', 'xml');
  118. /**
  119. * List of attributes to be removed
  120. *
  121. * If {@link $xssAuto} is true, remove the attributes in this list.
  122. * @var string[]
  123. * <b>FIXME:</b> static declaration must be after visibility declaration
  124. */
  125. static protected $attrBlacklist =
  126. array('action', 'background', 'codebase', 'dynsrc', 'lowsrc');
  127. /**
  128. * Constructor for InputFilter class.
  129. *
  130. * @param string[] $tagsArray User-provided list of tags to
  131. * either accept or reject. Default: none
  132. * @param string[] $attrArray User-provided list of attributes to
  133. * either accept or reject. Default: none
  134. * @param boolean $tagsMethod How to apply the list of tags in $tagsArray:
  135. * <ul>
  136. * <li>true => Remove those tags which are listed in
  137. * $tagsArray.</li>
  138. * <li>false => Allow only those tags which are listed in
  139. * $tagsArray.</li>
  140. * </ul>
  141. * Default: false
  142. * @param boolean $attrMethod How to apply the list of attributess in $attrArray:
  143. * <ul>
  144. * <li>true => Remove those attributes which are listed in
  145. * $attrArray.</li>
  146. * <li>false => Allow only those attributes which are listed in
  147. * $attrArray.</li>
  148. * </ul>
  149. * Default: false
  150. * @param boolean $xssAuto Behavior of {@link filterTags()}:
  151. * <ul>
  152. * <li>true => Remove tags in {@link $tagBlacklist} and
  153. * attributes in {@link $attrBlacklist}, in
  154. * addition to all other potentially suspect tags
  155. * and attributes.</li>
  156. * <li>false => Remove potentially suspect tags and attributes
  157. * without consulting{@link $tagBlacklist} or
  158. * {@link $attrBlacklist}.</li>
  159. * </ul>
  160. * Default: true
  161. * @uses $attrArray
  162. * @uses $attrMethod
  163. * @uses $tagsArray
  164. * @uses $tagsMethod
  165. */
  166. public function __construct($tagsArray = array(), $attrArray = array(),
  167. $tagsMethod = 0, $attrMethod = 0,
  168. $xssAuto = 1) {
  169. // make sure user defined arrays are in lowercase
  170. for ($i = 0; $i < count($tagsArray); $i++) $tagsArray[$i] = strtolower($tagsArray[$i]);
  171. for ($i = 0; $i < count($attrArray); $i++) $attrArray[$i] = strtolower($attrArray[$i]);
  172. // assign to member vars
  173. self::$tagsArray = (array) $tagsArray;
  174. self::$attrArray = (array) $attrArray;
  175. self::$tagsMethod = $tagsMethod;
  176. self::$attrMethod = $attrMethod;
  177. self::$xssAuto = $xssAuto;
  178. }
  179.  
  180. /**
  181. * Remove forbidden tags and attributes from user input
  182. *
  183. * Construct an InputFilter object. Then apply the
  184. * {@link process()} method to each of the user input arrays
  185. * {@link http://www.php.net/reserved.variables#reserved.variables.post $_POST},
  186. * {@link http://www.php.net/reserved.variables#reserved.variables.get $_GET} and
  187. * {@link http://www.php.net/reserved.variables#reserved.variables.request $_REQUEST}.
  188. * <b>FIXME:</b> isn't it partly redundant to do this to $_REQUEST?
  189. * Shouldn't we do it to $_COOKIE instead?
  190. * @param string[] $tagsArray User-provided list of tags to
  191. * either accept or reject. Default: none
  192. * @param string[] $attrArray User-provided list of attributes to
  193. * either accept or reject. Default: none
  194. * @param boolean $tagsMethod How to apply the list of tags in $tagsArray:
  195. * <ul>
  196. * <li>true => Remove those tags which are listed in
  197. * $tagsArray.</li>
  198. * <li>false => Allow only those tags which are listed in
  199. * $tagsArray.</li>
  200. * </ul>
  201. * Default: false
  202. * @param boolean $attrMethod How to apply the list of attributess in $attrArray:
  203. * <ul>
  204. * <li>true => Remove those attributes which are listed in
  205. * $attrArray.</li>
  206. * <li>false => Allow only those attributes which are listed in
  207. * $attrArray.</li>
  208. * </ul>
  209. * Default: false
  210. * @param boolean $xssAuto Behavior of {@link filterTags()}:
  211. * <ul>
  212. * <li>true => Remove tags in {@link $tagBlacklist} and
  213. * attributes in {@link $attrBlacklist}, in
  214. * addition to all other potentially suspect tags
  215. * and attributes.</li>
  216. * <li>false => Remove potentially suspect tags and attributes
  217. * without consulting{@link $tagBlacklist} or
  218. * {@link $attrBlacklist}.</li>
  219. * </ul>
  220. * Default: true
  221. * @author John Peterson
  222. * @uses __construct()
  223. * @uses process()
  224. * @todo Check out FIXMEs
  225. */
  226. public function process_all($tagsArray = array(), $attrArray = array(),
  227. $tagsMethod = 0, $attrMethod = 0,
  228. $xssAuto = 1) {
  229. self::__construct($tagsArray, $attrArray, $tagsMethod,
  230. $attrMethod, $xssAuto);
  231. if(count($_POST)) {
  232. $_POST = self::process($_POST);
  233. }
  234. if(count($_GET)) {
  235. $_GET = self::process($_GET);
  236. }
  237. if(count($_REQUEST)) {
  238. $_REQUEST = self::process($_REQUEST);
  239. }
  240. }
  241. /**
  242. * Remove forbidden tags and attributes from array of strings
  243. *
  244. * Accept a string or array of strings. For each string in the
  245. * source, remove the forbidden tags and attributes from the string.
  246. * @param mixed $source - input string/array-of-string to be 'cleaned'
  247. * @return mixed 'cleaned' version of input parameter
  248. * @uses decode()
  249. * @uses remove()
  250. */
  251. public function process($source) {
  252. // clean all elements in this array
  253. if (is_array($source)) {
  254. foreach($source as $key => $value) {
  255. // for arrays in arrays
  256. if (is_array($value)) $source[$key] = self::process($value);
  257. // filter element for XSS and other 'bad' code etc.
  258. if (is_string($value)) $source[$key] = self::remove(self::decode($value));
  259. }
  260. return $source;
  261. // clean this string
  262. } else if (is_string($source)) {
  263. // filter source for XSS and other 'bad' code etc.
  264. return self::remove(self::decode($source));
  265. // return parameter as given
  266. } else return $source;
  267. }
  268.  
  269. /**
  270. * Remove forbidden tags and attributes from a string iteratively
  271. *
  272. * Call {@link filterTags()} repeatedly until no change in the
  273. * input is produced.
  274. * @param string $source Input string to be 'cleaned'
  275. * @return string 'cleaned' version of $source
  276. * @uses filterTags()
  277. */
  278. protected function remove($source) {
  279. // FIXME: what do we use $loopCounter for?
  280. $loopCounter=0;
  281. // provides nested-tag protection
  282. while($source != self::filterTags($source)) {
  283. $source = self::filterTags($source);
  284. $loopCounter++;
  285. }
  286. return $source;
  287. }
  288. /**
  289. * Remove forbidden tags and attributes from a string
  290. *
  291. * Inspect the input for tags "<tagname ...>" and check the tag
  292. * name against a list of forbidden tag names. Delete all tags
  293. * with forbidden names. If {@link $xssAuto} is true, delete all
  294. * tags in {@link $tagBlacklist}. If there is a user-defined tag
  295. * list in {@link $tagsArray}, process according to the value of
  296. * {@link $tagsMethod}.
  297. *
  298. * If the tag name is OK, then call {@link filterAttr()} to check
  299. * all attributes of the tag and delete forbidden attributes.
  300. * @param string $source Input string to be 'cleaned'
  301. * @return string Cleaned version of input parameter
  302. * @uses filterAttr()
  303. * @uses $tagBlacklist
  304. * @uses $tagsArray
  305. * @uses $tagsMethod
  306. * @uses $xssAuto
  307. */
  308. protected function filterTags($source) {
  309. // filter pass setup
  310. $preTag = NULL;
  311. $postTag = $source;
  312. // find initial tag's position
  313. $tagOpen_start = strpos($source, '<');
  314. // interate through string until no tags left
  315. while($tagOpen_start !== FALSE) {
  316. // process tag interatively
  317. $preTag .= substr($postTag, 0, $tagOpen_start);
  318. $postTag = substr($postTag, $tagOpen_start);
  319. $fromTagOpen = substr($postTag, 1);
  320. // end of tag
  321. $tagOpen_end = strpos($fromTagOpen, '>');
  322. if ($tagOpen_end === false) break;
  323. // next start of tag (for nested tag assessment)
  324. $tagOpen_nested = strpos($fromTagOpen, '<');
  325. if (($tagOpen_nested !== false) && ($tagOpen_nested < $tagOpen_end)) {
  326. $preTag .= substr($postTag, 0, ($tagOpen_nested+1));
  327. $postTag = substr($postTag, ($tagOpen_nested+1));
  328. $tagOpen_start = strpos($postTag, '<');
  329. continue;
  330. }
  331. $tagOpen_nested = (strpos($fromTagOpen, '<') + $tagOpen_start + 1);
  332. $currentTag = substr($fromTagOpen, 0, $tagOpen_end);
  333. $tagLength = strlen($currentTag);
  334. if (!$tagOpen_end) {
  335. $preTag .= $postTag;
  336. $tagOpen_start = strpos($postTag, '<');
  337. }
  338. // iterate through tag finding attribute pairs - setup
  339. $tagLeft = $currentTag;
  340. $attrSet = array();
  341. $currentSpace = strpos($tagLeft, ' ');
  342. // is end tag
  343. if (substr($currentTag, 0, 1) == "/") {
  344. $isCloseTag = TRUE;
  345. list($tagName) = explode(' ', $currentTag);
  346. $tagName = substr($tagName, 1);
  347. // is start tag
  348. } else {
  349. $isCloseTag = FALSE;
  350. list($tagName) = explode(' ', $currentTag);
  351. }
  352. // excludes all "non-regular" tagnames OR no tagname OR remove if xssauto is on and tag is blacklisted
  353. if ((!preg_match("/^[a-z][a-z0-9]*$/i",$tagName)) || (!$tagName) || ((in_array(strtolower($tagName), self::$tagBlacklist)) && (self::$xssAuto))) {
  354. $postTag = substr($postTag, ($tagLength + 2));
  355. $tagOpen_start = strpos($postTag, '<');
  356. // don't append this tag
  357. continue;
  358. }
  359. // this while is needed to support attribute values with spaces in!
  360. while ($currentSpace !== FALSE) {
  361. $fromSpace = substr($tagLeft, ($currentSpace+1));
  362. $nextSpace = strpos($fromSpace, ' ');
  363. $openQuotes = strpos($fromSpace, '"');
  364. $closeQuotes = strpos(substr($fromSpace, ($openQuotes+1)), '"') + $openQuotes + 1;
  365. // another equals exists
  366. if (strpos($fromSpace, '=') !== FALSE) {
  367. // opening and closing quotes exists
  368. if (($openQuotes !== FALSE) && (strpos(substr($fromSpace, ($openQuotes+1)), '"') !== FALSE))
  369. $attr = substr($fromSpace, 0, ($closeQuotes+1));
  370. // one or neither exist
  371. else $attr = substr($fromSpace, 0, $nextSpace);
  372. // no more equals exist
  373. } else $attr = substr($fromSpace, 0, $nextSpace);
  374. // last attr pair
  375. if (!$attr) $attr = $fromSpace;
  376. // add to attribute pairs array
  377. $attrSet[] = $attr;
  378. // next inc
  379. $tagLeft = substr($fromSpace, strlen($attr));
  380. $currentSpace = strpos($tagLeft, ' ');
  381. }
  382. // appears in array specified by user
  383. $tagFound = in_array(strtolower($tagName), self::$tagsArray);
  384. // remove this tag on condition
  385. if ((!$tagFound && self::$tagsMethod) || ($tagFound && !self::$tagsMethod)) {
  386. // reconstruct tag with allowed attributes
  387. if (!$isCloseTag) {
  388. $attrSet = self::filterAttr($attrSet);
  389. $preTag .= '<' . $tagName;
  390. for ($i = 0; $i < count($attrSet); $i++)
  391. $preTag .= ' ' . $attrSet[$i];
  392. // reformat single tags to XHTML
  393. if (strpos($fromTagOpen, "</" . $tagName)) $preTag .= '>';
  394. else $preTag .= ' />';
  395. // just the tagname
  396. } else $preTag .= '</' . $tagName . '>';
  397. }
  398. // find next tag's start
  399. $postTag = substr($postTag, ($tagLength + 2));
  400. $tagOpen_start = strpos($postTag, '<');
  401. }
  402. // append any code after end of tags
  403. $preTag .= $postTag;
  404. return $preTag;
  405. }
  406.  
  407. /**
  408. * Internal method to strip a tag of certain attributes
  409. *
  410. * Remove potentially dangerous attributes from a set of
  411. * "attr=value" strings. Attributes considered dangerous are:
  412. * <ul>
  413. * <li>Any attribute name containing any non-alphabetic
  414. * character</li>
  415. * <li>Any attribute name beginning "on..."</li>
  416. * <li>If {@link $xssAuto} is true, any attribute name in
  417. * {@link $attrBlacklist}</li>
  418. * <li>Any attribute with a value containing the strings
  419. * 'javascript:', 'behaviour:', 'vbscript:', 'mocha:',
  420. * 'livescript:'</li>
  421. * <li>Any attribute whose name contains 'style' and whose
  422. * value contains 'expression'.</li>
  423. * <li>If there is a user-provided list of attributes in
  424. * {@link $attrArray}, process according to the value of
  425. * {@link $attrMethod}.</li>
  426. * </ul>
  427. * @param string[] $attrSet Array of strings "attr=value" parsed
  428. * from a tag.
  429. * @return string[] Input with potentially dangerous attributes
  430. * removed
  431. * @uses $attrArray
  432. * @uses $attrBlacklist
  433. * @uses $attrMethod
  434. * @uses $xssAuto
  435. */
  436. protected function filterAttr($attrSet) {
  437. $newSet = array();
  438. // process attributes
  439. for ($i = 0; $i <count($attrSet); $i++) {
  440. // skip blank spaces in tag
  441. if (!$attrSet[$i]) continue;
  442. // split into attr name and value
  443. $attrSubSet = explode('=', trim($attrSet[$i]));
  444. list($attrSubSet[0]) = explode(' ', $attrSubSet[0]);
  445. // removes all "non-regular" attr names AND also attr blacklisted
  446. if ((!eregi("^[a-z]*$",$attrSubSet[0])) || ((self::$xssAuto) && ((in_array(strtolower($attrSubSet[0]), self::$attrBlacklist)) || (substr($attrSubSet[0], 0, 2) == 'on'))))
  447. continue;
  448. // xss attr value filtering
  449. if ($attrSubSet[1]) {
  450. // strips unicode, hex, etc
  451. $attrSubSet[1] = str_replace('&#', '', $attrSubSet[1]);
  452. // strip normal newline within attr value
  453. $attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]);
  454. // strip double quotes
  455. $attrSubSet[1] = str_replace('"', '', $attrSubSet[1]);
  456. // [requested feature] convert single quotes from either side to doubles (Single quotes shouldn't be used to pad attr value)
  457. if ((substr($attrSubSet[1], 0, 1) == "'") && (substr($attrSubSet[1], (strlen($attrSubSet[1]) - 1), 1) == "'"))
  458. $attrSubSet[1] = substr($attrSubSet[1], 1, (strlen($attrSubSet[1]) - 2));
  459. // strip slashes
  460. $attrSubSet[1] = stripslashes($attrSubSet[1]);
  461. }
  462. // auto strip attr's with "javascript:
  463. if ( ((strpos(strtolower($attrSubSet[1]), 'expression') !== false) && (strtolower($attrSubSet[0]) == 'style')) ||
  464. (strpos(strtolower($attrSubSet[1]), 'javascript:') !== false) ||
  465. (strpos(strtolower($attrSubSet[1]), 'behaviour:') !== false) ||
  466. (strpos(strtolower($attrSubSet[1]), 'vbscript:') !== false) ||
  467. (strpos(strtolower($attrSubSet[1]), 'mocha:') !== false) ||
  468. (strpos(strtolower($attrSubSet[1]), 'livescript:') !== false)
  469. ) continue;
  470.  
  471. // if matches user defined array
  472. $attrFound = in_array(strtolower($attrSubSet[0]), self::$attrArray);
  473. // keep this attr on condition
  474. if ((!$attrFound && self::$attrMethod) || ($attrFound && !self::$attrMethod)) {
  475. // attr has value
  476. if ($attrSubSet[1]) $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[1] . '"';
  477. // attr has decimal zero as value
  478. else if ($attrSubSet[1] == "0") $newSet[] = $attrSubSet[0] . '="0"';
  479. // reformat single attributes to XHTML
  480. else $newSet[] = $attrSubSet[0] . '="' . $attrSubSet[0] . '"';
  481. }
  482. }
  483. return $newSet;
  484. }
  485. /**
  486. * Convert HTML entities to characters
  487. *
  488. * Convert input string containing HTML entities to the
  489. * corresponding character (&amp; => &). ISO 8859-1 character
  490. * set is assumed.
  491. * @param string $source Character string containing HTML entities
  492. * @return string Input string, with entities converted to characters
  493. * @uses chr()
  494. * @uses html_entity_decode()
  495. * @uses preg_replace()
  496. */
  497. protected function decode($source) {
  498. // url decode
  499. $source = html_entity_decode($source, ENT_QUOTES, "ISO-8859-1");
  500. // convert decimal &#DDD; to character DDD
  501. $source = preg_replace('/&#(\d+);/me',"chr(\\1)", $source);
  502. // convert hex &#xXXX; to character XXX
  503. $source = preg_replace('/&#x([a-f0-9]+);/mei',"chr(0x\\1)", $source);
  504. return $source;
  505. }
  506.  
  507. /**
  508. * Remove HTML entities and magic quotes, insert SQL special
  509. * character escapes
  510. *
  511. * If the input is a string or an array of strings, then each
  512. * string is edited to convert any HTML entities to the
  513. * corresponding character and remove slashes inserted by
  514. * {@link http://www.php.net/manual/en/security.magicquotes.php magic quotes},
  515. * then the result has SQL special characters
  516. * escaped.
  517. * @param mixed $source Input to be 'cleaned'
  518. * @param resource $connection An open MySQL connection
  519. * @return mixed $source with HTML entities and GPC magic quotes
  520. * removed from, and SQL special character escapes
  521. * inserted in, the string or array of strings.
  522. * @uses decode()
  523. * @uses quoteSmart()
  524. */
  525. public function safeSQL($source, &$connection) {
  526. // clean all elements in this array
  527. if (is_array($source)) {
  528. foreach($source as $key => $value)
  529. // filter element for SQL injection
  530. if (is_string($value)) $source[$key] = self::quoteSmart(self::decode($value), $connection);
  531. return $source;
  532. // clean this string
  533. } else if (is_string($source)) {
  534. // filter source for SQL injection
  535. if (is_string($source)) return self::quoteSmart(self::decode($source), $connection);
  536. // return parameter as given
  537. } else return $source;
  538. }
  539.  
  540. /**
  541. * Remove GPC magic quotes from input string & escape SQL special
  542. * characters
  543. *
  544. * The input is a string that came from a GET or POST HTTP
  545. * operation, or a cookie. If GPC magic quotes are currently in
  546. * effect, the resulting slashes are stripped. Then any SQL
  547. * special characters in the string are escaped, taking into
  548. * account the character set in use on $connection.
  549. * @author Chris Tobin, Daniel Morris
  550. * @param string $source Input string to be converted
  551. * @param resource $connection An open MySQL connection
  552. * @return string Input string with any GPC magic quotes stripped
  553. * and SQL special characters escaped
  554. * @uses escapeString()
  555. * @uses get_magic_quotes_gpc()
  556. * @uses stripslashes()
  557. */
  558. protected function quoteSmart($source, &$connection) {
  559. // strip slashes
  560. if (get_magic_quotes_gpc()) $source = stripslashes($source);
  561. // quote both numeric and text
  562. $source = self::escapeString($source, $connection);
  563. return $source;
  564. }
  565. /**
  566. * Escape SQL special characters in string
  567. *
  568. * Escape SQL special characters in the input string, taking into
  569. * account the character set of the connection.
  570. *
  571. * <b>FIXME:</b> since we require PHP 5 can't we remove the use
  572. * of mysql_esacape_string()?
  573. *
  574. * <b>FIXME:</b>Shouldn't we pass the connection to
  575. * mysql_real_escape_string()?
  576. *
  577. * <b>FIXME:</b>Is this really RDBMS independent?
  578. * @todo Check FIXMEs
  579. * @author Chris Tobin, Daniel Morris
  580. * @param string $string String to be protected
  581. * @param resource $connection - An open MySQL connection
  582. * @return string Value of $string with characters special in
  583. * SQL escaped by '\'s
  584. * @uses mysql_escape_string()
  585. * @uses mysql_real_escape_string()
  586. * @uses phpversion()
  587. * @uses version_compare()
  588. */
  589. protected function escapeString($string, &$connection) {
  590. // depreciated function
  591. if (version_compare(phpversion(),"4.3.0", "<"))
  592. return mysql_escape_string($string);
  593. // current function
  594. else
  595. return mysql_real_escape_string($string);
  596. }
  597. }
  598.  
  599. // -- set Emacs parameters --
  600. // Local variables:
  601. // tab-width: 4
  602. // c-basic-offset: 4
  603. // c-hanging-comment-ender-p: nil
  604. // indent-tabs-mode: nil
  605. // End:
  606. ?>

Documentation generated on Thu, 04 May 2006 19:47:49 -0600 by phpDocumentor 1.3.0RC4