filtering user input

[tbach2]

We all know we shouldn't trust user input. Any problems with this function or easier ways to do it?

PHP Code:

// cleanse variables

function assign($variable,$type,$restrictions) {
    $temp='';
    switch($type) {
        case 'get':        $temp = $_GET[$variable]; break;
        case 'post':        $temp = $_POST[$variable]; break;
        case 'request':    $temp = $_REQUEST[$variable]; break;
        case 'cookie':        $temp = $_COOKIE[$variable]; break;
    }
    switch($restrictions) {
        case 'alpha':        preg_match("/([a-zA-Z ,\.]+)/",$temp,$match); break;
        case 'alphanum':    preg_match("/([a-zA-Z0-9 ,\.]+)/",$temp,$match); break;
        case 'num':        preg_match("/([0-9]+)/",$temp,$match); break;
        case 'email':        preg_match("/^(([a-zA-Z0-9_-]*\.*)*[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)/",$temp,$match); break;
        case 'blob':        $match[1] = $temp; break;
    }
    if($temp!='') {
        global $$variable;
        $$variable = $match[1];
        return true;
    }
    return false;
}

// suppose you want to strip any non-alphanumeric stuff out of $_POST['username']

assign('username','post','alphanumeric');


[Moonglobe]

you could add support for '_' and '-'. many people use these in their input and it would be wise to allow them in alpha & alphanum.

[Merve]

htmlentities() is also a good idea so that people can't execute HTML to get porn pics displayed from another site or something dumb like that...there's worse.

[Moonglobe]

Merve you say that a lot now i've noticed


but anyway why would he need to? he's not allowing < or > in his regex's....

[Merve]

People can type greater than or less than signs without typing &gt; or &lt;. I don't see where they are in his PCREs.

And yes I do say that a lot. A lot of people forget it.

[Moonglobe]

ok so since when did the board start rejecting my entity references......

andway i meant < and >. the above post has been edited. all i'm saying is that HTML can't get it, it would be caught by the regexes.

[Merve]

Please forgive me for being so stubborn Moonglobe, but I don't see < or > in his regexes...if there's something about PCRE that I don't know about that I'd really like to know.

[Moonglobe]

Quote:

Originally posted by Merve
Please forgive me for being so stubborn Moonglobe, but I don't see < or > in his regexes...if there's something about PCRE that I don't know about that I'd really like to know.

that's the point...... they're not there. what IS there is what's allowed. that's it.

[Merve]

I apologise Moonglobe for my stubbornness and stupidity. I should have taken the time to read over the code. Actually, I don't think it can be improved, great code! But one must admit, htmlentities() rocks!

Sorry...but it does...and if you agree with me...well too bad!

[Moonglobe]

Quote:

Originally posted by Merve
Sorry...but it does...and if you agree with me...well too bad!

but i do agree with you....