I've found a function on web to sanitize user input data and used it for creating an alternative to $_POST[] method as post() . However, it seems that this function also sanitizes UTF-8 characters such as ç,ş,ö,ı,İ,Ö,ğ, converting them into strings like öl. I don't know which part of the code does that.
Thanks in advance.
Sanitizing function
function post($key) {
if (isset($_POST[$key])) {
$data = $_POST[$key];
if (is_array($data)) {
foreach ($data as $key => $element) {
$data[$key] = filter($element);
}
} else {
$data = trim(htmlentities(strip_tags($data)));
if(get_magic_quotes_gpc())
$data = stripslashes($data);
$data = pg_escape_string($data);
}
return $data;
} else {
return false;
}
}
Looking at the manual I think you would need to add some additional params to your htmlentities call to let it know you are using UTF-8 encoded strings.
Here is a possible solution, I factored the relevant portion out into a separate function for clarity.
function post($key){
if (isset($_POST[$key])){
$post = $_POST[$key];
if (is_array($post)) {
$data = array();
foreach ($post as $key => $element) {
$data[$key] = filter($element);
}
} else {
$data = formatHtmlEntities($post);
}
return $data;
}
return false;
}
function formatHtmlEntities($data)
{
$stripTags = strip_tags($data);
$entityEncodedData = trim(htmlentities($stripTags, ENT_QUOTES, "UTF-8"));
if (get_magic_quotes_gpc()) {
$entityEncodedData = stripslashes($entityEncodedData);
}
return pg_escape_string($entityEncodedData);
}
I've found an alternative solution which is to use htmlspecialchars() vs htmlentities() for my case. Reference question: htmlentities() vs. htmlspecialchars()
Related
I want to pass a variable to a language file. I have created MY_language.php in application/core/MY_language.php.
class MY_Language extends CI_Lang
{
public function __construct()
{
parent::__construct();
}
function line($line, $params = null)
{
$return = parent::line($line);
if ($return === false) {
return "!-- $line --!";
} else {
if (!is_null($params)) {
$return = $this->_ni_line($return, $params);
}
return $return;
}
}
private function _ni_line($str, $params)
{
$return = $str;
$params = is_array($params) ? $params : array($params);
$search = array();
$cnt = 0;
foreach ($params as $param) {
$search[$cnt] = '/\\$' . ($cnt + 1) . '/';
$cnt++;
}
$return = preg_replace($search, $params, $return);
return $return;
}
}
This file must override the CodeIgniter line() function and accept an array of parameters as input, and insert into string language everywhereIi have type $ in my language text.
$lang['delete'] = "$name was deleted";
The result of the above code is:
sam was deleted
in codeigniter 3 the language your core language file must be PREFIX_lang
Since you are adding parameters to the line() function you are unable to override it.
Use a different name like magic_line()
I have a PHP function that outputs quote marks like so when rendered in the html.
onload="this.rel='stylesheet'"
What I want is the following:
onload="this.rel='stylesheet'"
Here is the function causing the first example to happen - does anyone know how I can solve this?
public function get_css($opts, $index, $count)
{
$out = array();
$version = filemtime($_SERVER['DOCUMENT_ROOT'].'/assets/css/app.min.css');
$str = "this.rel='stylesheet'";
$out[] = $this->_single_tag('link', array(
'rel'=>'preload',
'as'=>'style',
'type'=>'text/css',
'href'=>'/assets/css/app.min.'.$version.'.css',
'onload'=>$str,
));
return implode("\n\t", $out)."\n";
}
Here is the function for _single_tag
protected function _single_tag($tag=false, array $attrs)
{
if ($tag===false) return;
return PerchXMLTag::create($tag, 'single', $attrs);
}
The problem comes from the PerchXMLTag::create() method which does some HTML encoding on the values supplied to it.
Looking at the Perch documentation there doesn't seem to be a way to disable this, so my suggestion would be to replace the code within the get_css function with something that just outputs the raw HTML:
public function get_css($opts, $index, $count)
{
$out = array();
$version = filemtime($_SERVER['DOCUMENT_ROOT'].'/assets/css/app.min.css');
$str = "this.rel='stylesheet'";
$out[] = "<link rel='preload' as='style' type='text/css' href='/assets/css/app.min.{$version}.css' onload='{$str}' />";
return implode("\n\t", $out)."\n";
}
public function get_css($opts, $index, $count)
{
$out = array();
$version = filemtime($_SERVER['DOCUMENT_ROOT'].'/assets/css/app.min.css');
$str = "this.rel=\"stylesheet\"";
$out[] = $this->_single_tag('link', array(
'rel'=>'preload',
'as'=>'style',
'type'=>'text/css',
'href'=>'/assets/css/app.min.'.$version.'.css',
'onload'=>$str,
));
return implode("\n\t", $out)."\n";
}
Try with that.
I'm creating a function that "cleans" data (escapes html to avoid xss) from the database before sending it to the views. All the data is passed on in 1 array. This arrays contains variables and arrays that contain other variables and arrays, and so on.
This is what I have now, it works, but it just doesn't look right. Is there any way to avoid going through a new foreach for every array inside an array?
public function clean_output(&$data)
{
if(!is_array($data))
{
$data = htmlspecialchars($data);
}
else
{
foreach($data as &$data_1)
{
if(!is_array($data_1))
{
$data_1 = htmlspecialchars($data_1);
}
else
{
foreach($data_1 as &$data_2)
{
if(!is_array($data_2))
{
$data_2 = htmlspecialchars($data_2);
}
else
{
foreach($data_2 as &$data_3)
{
$data_3 = htmlspecialchars($data_3);
}
}
}
}
}
}
}
Thanks to Antoine, I got a new function. Suggestions still welcome offcourse!
public function clean_output(&$data)
{
if(!is_array($data))
{
$data = htmlspecialchars($data);
}
else
{
foreach($data as &$data_1)
{
$this->clean_output($data_1);
}
}
}
You must use recursive function !
http://www.elated.com/articles/php-recursive-functions/
I need to sanitize the values in a JSON file (e.g., a composer.json file from github). I json_decode($file) converting it to a stdClass object. (I need it as an object, not as an array - I am aware of that option).
I need to recursively sanitize all the values which might be objects as well (and maybe the keys too?).
I need to remove any and all "dangerous" characters, etc from the file but would like it to remain multilingual, so was planning to use filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW).
Advice and suggestions please. maybe I'm missing the obvious, but this seems harder than it should.
Object can be iterated by foreach:
function sanitize($data) {
foreach ($data as &$value) {
if (is_scalar($value)) {
$value = sanitizeValue($value);
continue;
}
sanitize($value);
}
return $data;
}
Answer by Михаил-М was close. I needed to adjust it slightly to be:
function sanitize($data) {
foreach ($data as &$value) {
if (is_scalar($value)) {
$value = sanitizeValue($value);
continue;
}
$value = sanitize($value);
}
return $data;
}
of course, this doesn't address the issue of actually sanitizing the data which I did with the filter_var method I mentioned above. so I finally solved it with this:
function sanitize($data) {
foreach ($data as &$value) {
if (is_scalar($value)) {
$value = filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
continue;
}
$value = sanitize($value);
}
return $data;
}
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
What are the best PHP input sanitizing functions?
A while back I found this, what I thought to be great, snippet in someones code to filter POST and GET data from injections.
function filter($data) { //Filters data against security risks.
$data = trim(htmlentities(strip_tags($data)));
if(get_magic_quotes_gpc()) $data = stripslashes($data);
$data = mysql_real_escape_string($data);
return $data;
}
foreach($_GET as $key => $value) $filterGet[$key] = filter($value);
foreach($_POST as $key => $value) $filterPost[$key] = filter($value);
And I've been using it ever since. But today, while sending an array through ajax I got tons of errors. Most of them say strip_tags() expects parameter 1 to be string, array given in...
What the best way to filter data? All this data is going to a database. But what about cases where it isn't going to a database?
Here is the function you need:
function filter($data) { //Filters data against security risks.
if (is_array($data)) {
foreach ($data as $key => $element) {
$data[$key] = filter($element);
}
} else {
$data = trim(htmlentities(strip_tags($data)));
if(get_magic_quotes_gpc()) $data = stripslashes($data);
$data = mysql_real_escape_string($data);
}
return $data;
}
As clear by the error message, this is happening for cases where an array is passed via GET/POST. You can parse each value of the array for such cases.
foreach($_GET as $key => $value){
if(is_array($value)){
foreach($value as $val){
$filterGet[$key][] = filter($val);
}
}
else{
$filterGet[$key] = filter($value);
}
}
What you should do is first check to see if $data is the correct format that you need it to be in. What you describe is that an array was passed into the $data parameter of your function, and PHP needs you to break it down into a string. Some extra logic is needed such as:
function filter($data) {
if(is_array($data)) {
foreach($data as $key => $value) {
// Do stuff...
}
} else {
// Do stuff...
}
}
You should check if the input is array. If so, loop it and strip tags for every array member, if not, then just strip tags for the input.
you can use array_walk
<?php
function wsafe(&$value,$key)
{
return safe($value);
}
function safe($value)
{
if(is_array($value))
{
foreach($value as $key=>$val)
{
$value[safe($key)] = safe($val);
}
}
else
{
$value = trim(htmlentities(strip_tags($value)));
if(get_magic_quotes_gpc()) $value = stripslashes($value);
$value = mysql_real_escape_string($value);
}
}
array_walk($_POST,'wsafe');
array_walk($_GET,'wsafe');