filtering user input

tbach2

We all know we shouldn't trust user input. Any problems with this function or easier ways to do it?

// cleanse variables

function assign($variable,$type,$restrictions) {
	$temp='';
	switch($type) {
		case 'get':		$temp = $_GET[$variable]; break;
		case 'post':		$temp = $_POST[$variable]; break;
		case 'request':	$temp = $_REQUEST[$variable]; break;
		case 'cookie':		$temp = $_COOKIE[$variable]; break;
	}
	switch($restrictions) {
		case 'alpha':		preg_match("/([a-zA-Z ,\.]+)/",$temp,$match); break;
		case 'alphanum':	preg_match("/([a-zA-Z0-9 ,\.]+)/",$temp,$match); break;
		case 'num':		preg_match("/([0-9]+)/",$temp,$match); break;
		case 'email':		preg_match("/^(([a-zA-Z0-9_-]*\.*)*[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)/",$temp,$match); break;
		case 'blob':		$match[1] = $temp; break;
	}
	if($temp!='') {
		global $$variable;
		$$variable = $match[1];
		return true;
	}
	return false;
}

// suppose you want to strip any non-alphanumeric stuff out of $_POST['username']

assign('username','post','alphanumeric');

Moonglobe

you could add support for '_' and '-'. many people use these in their input and it would be wise to allow them in alpha & alphanum.

Merve

htmlentities() is also a good idea so that people can't execute HTML to get porn pics displayed from another site or something dumb like that...there's worse.

Moonglobe

Merve you say that a lot now i've noticed :p

but anyway why would he need to? he's not allowing < or > in his regex's....

Merve

People can type greater than or less than signs without typing > or <. I don't see where they are in his PCREs.

And yes I do say that a lot. A lot of people forget it. 🙂

Moonglobe

ok so since when did the board start rejecting my entity references......

andway i meant < and >. the above post has been edited. all i'm saying is that HTML can't get it, it would be caught by the regexes.

Merve

Please forgive me for being so stubborn Moonglobe, but I don't see < or > in his regexes...if there's something about PCRE that I don't know about that I'd really like to know.

Moonglobe

Originally posted by Merve
Please forgive me for being so stubborn Moonglobe, but I don't see < or > in his regexes...if there's something about PCRE that I don't know about that I'd really like to know.

that's the point...... they're not there. what IS there is what's allowed. that's it.

Merve

I apologise Moonglobe for my stubbornness and stupidity. I should have taken the time to read over the code. Actually, I don't think it can be improved, great code! But one must admit, htmlentities() rocks!

Sorry...but it does...and if you agree with me...well too bad!

😃😃😃😃

Moonglobe

Originally posted by Merve
Sorry...but it does...and if you agree with me...well too bad!

but i do agree with you....😕

😉