Hi all.

Even though Im familiar with php & sql I would really like a second oppinion on my method for "securing" all user input from evil things.. 🙂

This is how I does it atm:
On all inputs from all kinds of fields i use only mysqli_real_escape_string (in the db layer).
When db stuff goes out again I use htmlentities on single lines (username, email, etc), and removeHTMLtags+nl2br for larger texts (description, pagecontent, etc).

Also, in my init class I use this:

			if (get_magic_quotes_gpc())	{
				$_GET = array_map('stripslashes', $_GET);
				$_POST = array_map('stripslashes', $_POST);
				$_REQUEST = array_map('stripslashes', $_REQUEST);
			}

And here's the removeHTMLtags:

		static function removeHTMLTags($str)
		{
			//allowed = a b br blockquote center div hr i li ol u ul p pre
			$html_tags = array("abbr","acronym","address","applet","area","base","basefont",
					"bdo","big","body","button","caption","cite","code",
					"col","colgroup","dd","del","dfn","dir","dl","dt","em","fieldset","font",
					"form","frame","frameset","h1","h2","h3","h4","h5","h6","head","html",
					"iframe","img","input","ins","isindex","kbd","label","legend","link","map",
					"menu","meta","noframes","noscript","object","optgroup","option","param",
					"q","s","samp","script","select","small","span","strike","strong","style",
					"sub","sup","table","tbody","td","textarea","tfoot","th","thead","title","tr",
					"tt","var");

		foreach ($html_tags as $tag)
		{
			$str = preg_replace("/<\/?" . $tag . "(.|\s)*?>/","" , $str);
		}

		return $str;
	}

Imho this should be enough, and the input and output will match.
But, is this enough, or am I short of something ? 😕

    You're missing [man]strip_tags[/man]....

      Oh god, yes.

      I found this (in comment from tREXX [www.trexx.ch]) at http://php.net/strip_tags, it would be better to use this instead of my removeHTMLtags right ? Maybe when saving to db instead of when showing text to a user.

      $allowedTags = '<a><b><i><u><center><p><ul><ol><li><pre><span><div><hr><br><blockquote>';
$stripAttrib = 'javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|'.
               'onmousemove|onmouseout|onkeypress|onkeydown|onkeyup';

function removeEvilTags($source) {
   global $allowedTags;
   $source = strip_tags($source, $allowedTags);
   return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
}

function removeEvilAttributes($tagSource) {
   global $stripAttrib;
   return stripslashes(preg_replace("/$stripAttrib/i", 'forbidden', $tagSource));
}
$string = 'this <!- not seen ->is <a href="javascript:alert(1);" target="_blank" onMouseOver = "alert(1)">test</a> with<? echo "evil tags"; ?> end';
echo removeEvilTags($string);
        Write a Reply...