What do you think about my security filters?

Discussion in 'PHP' started by x0x, Jul 15, 2009.

0
  1. #1
    Every submitted text variable is filtered with this:

    function textfix($text = ""){
if(!is_array($text)){ $text = htmlentities($text,ENT_QUOTES,"UTF-8"); }
return $text;
}
    PHP:
    numbers:

    function intfix($input = 0){
$input = number_format($input, 0, ',', '');
if($input < 1){ $input = 0;}
return $input;
}
    PHP:



    And some stuff I don't even understand myself (not made by me):

    if (count($_GET) > 0) {foreach ($_GET as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } }

if (count($_POST) > 0) {foreach ($_POST as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } }

if (count($_COOKIE) > 0) {foreach ($_COOKIE as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"ISO-8859-15");} } }
    PHP:
     function escape($value) {
    $value = mysql_real_escape_string($value);
    return $value;
    PHP:

    Every variable in my script is defined like this at the top of the page:

    if($_POST['username']){ $username = textfix($_POST['username']); }
if($_POST['code']){ $code= intfix($_POST['code']); }
    PHP:

    a normal query in my script looks like this:

    $user = $DB->fetch("SELECT * FROM $tab[user] WHERE username='$username' AND password='$password'", __FILE__, __LINE__);
    PHP:
    if you are wondering what "fetch" is then it's:

    function fetch($query, $file, $line) {
    $result = $this->query($query, $file, $line);
    return $this->fetch_array($result);
  }
    PHP:


    What do you think? Secure enough?
     
    x0x, Jul 15, 2009 IP
  2. newgenservices

    newgenservices Well-Known Member

    Messages:
    862
    Likes Received:
    21
    Best Answers:
    0
    Trophy Points:
    105
    Digital Goods:
    1
    #2
    You got some good ones and let me add two more. However your fetch() would work only when called from the correct class and is not an independent function.

    
if (get_magic_quotes_gpc()) { // Disabling magic quotes at runtime
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
    Code (markup):
    This is to sanitize input irrespective of numbers or text or characters to prevent SQL injections. This covers a couple of functions you have used above in a single function.

    

function clean($str) { // Function to sanitize values received from the form.
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}
    Code (markup):
     
    newgenservices, Jul 15, 2009 IP