making user input safe

ucbones

will this do the trick...

//function to make user input safe
function makesafe(&$string,$key,$formatting="false"){
	//makes absolutely certain that no one can delete the oxygen database
	$string=str_replace("dbname","fakedbname",$string);
	//replace \n with HTML linebreaks (this doesn't make it any safer, but as I do this for all userinput...
	$string=str_replace("\n","<br>",$string);
	//this line is what really makes it safe!
	$string=addslashes($string);
	if ($formatting != "true"){
		$string=strip_tags($string,"<br>");
	}
	//remove swearwords
	$string=filter($string);
}

filter is my own function for removing swearwords as best as I can. The "&" before $string is needed because I use this at the top of my pages for validating userinput:

array_walk($_POST,'makesafe','true');

I also use this on my $_GET at the top of every page.

Anything else I can do?

superwormy

You might consider the database specific mysql_escape_string() and equivalent for other databases.

Might consider html_encode_entities() or html_entities() as well if you're passing data through HTML forms, we had a situation like this once:

And if the user entered:

This is " Keiths " Page

For $user_input, it botched up the HTML because the HTML became <input type="hidden" name="thing" value="This is " Keiths " Page" />, too many quotes in there and only "This is " would get passed to the next page.

laserlight

I think that it usually is better to convert to html when writing output.

That way your data can be more flexible, IMO.

btw, I never heard of html_encode_entities(), and I cant find it in the PHP manual either.

I would use htmlspecialchars() or htmlentities()

ucbones

laserligh

either it's a function the guy wrote a while ago, and forgot it was his own function, or he was working backwards from html_decode_entities.

What do you mean by

I think that it usually is better to convert to html when writing output.

I don't want to do htmlspecial chars, because that then mucks up my br's, unless I then do another str_replace, which jars as inefficient.

Having said that, I would probably trust your judgement on this matter rather more than my own 🙂

ucbones

laserlight

actually, since you're using strip_tags(), htmlspecialchars() is redundant.

When I say "better to convert to html when writing output", I mean store with the '<' and '>', but write with '>' and '<'

ucbones

laserlight- why- because > takes less space than < ?

for those in the future searching for the word "filter", here is my PHP function for filtering user input... create a table in MySQL with a list of words to filter (don't worry about different cases, or people doing simple things such as r.u.d.e)

Note that this will not remove all rude words, only those specified in the database, and will not remove those with a different symbol between each leter (e.g. "r.u#d.e", given there are 8 different possible character separators, this would require a for-loop to run 8⁸ times- which would take a rather long time- and is perhaps overkill!) From past experience, most people just type the words, they are not intending to fool the system- except where proving my script doesn't work :-) Enjoy

//following functions attempt to filter out swearwords
//these cannot necessarily remove all swearwords, there are always workarounds, but I've done my best!

//insensitive search and replace- avoids people doing things like BaDwOrD
function stri_replace( $find, $replace, $string ){
   $parts = explode( strtolower($find), strtolower($string) );
   $pos = 0;
   foreach( $parts as $key=>$part ){
       $parts[ $key ] = substr($string, $pos, strlen($part));
       $pos += strlen($part) + strlen($find);
       }
   return( join( $replace, $parts ) );
}

//insert a chracter between each letter of a string, this enables us to filter out words like i.d.i.o.t
function insertcharacter($character,$input){
	for ($i=0; $i<strlen($input); $i++){
		$return.=$input[$i]."$character";
	}
	if ($character != ''){
	$return=substr($return,0,strlen($return)-1);
	}
	return $return;
}

//do the replace, given a badword
function exefilter($badword,$contents){
	//characters between each letter of a swearword that mean that they are still swearwords
	$characters=array('','@',' ','.','#','^','  ',' . ');
	foreach($characters as $character){
		$characteredword=insertcharacter($character,$badword);
		$contents=stri_replace($characteredword,str_pad($badword[0],strlen($badword),"*",STR_PAD_RIGHT),$contents);
	}
	return $contents;
}

//filter the string for each badword listed
function filter($input){
	$selectbadwords=mysql_query("SELECT * FROM badwords");
	while($getbadwords=mysql_fetch_array($selectbadwords)){
		$input=exefilter($getbadwords["word"],$input);
	}
	return $input;
}

So, to filer userinput just do

$output=filter($input)