Location: PHPKode > projects > PHP on Trax > johnpipi-trax-f599562/trax/doc/PHPonTrax/tutorial_InputFilter.cls.html
<html>
<head>
<title>InputFilter</title>
<link rel="stylesheet" type="text/css" href="../media/style.css">
</head>
<body>

<table border="0" cellspacing="0" cellpadding="0" height="48" width="100%">
  <tr>
    <td class="header_top">PHPonTrax</td>
  </tr>
  <tr><td class="header_line"><img src="../media/empty.png" width="1" height="1" border="0" alt=""  /></td></tr>
  <tr>
    <td class="header_menu">
  		  [ <a href="../classtrees_PHPonTrax.html" class="menu">class tree: PHPonTrax</a> ]
		  [ <a href="../elementindex_PHPonTrax.html" class="menu">index: PHPonTrax</a> ]
		  [ <a href="../elementindex.html" class="menu">all elements</a> ]
    </td>
  </tr>
  <tr><td class="header_line"><img src="../media/empty.png" width="1" height="1" border="0" alt=""  /></td></tr>
</table>

<table width="100%" border="0" cellpadding="0" cellspacing="0">
  <tr valign="top">
    <td width="200" class="menu">
	<div id="todolist">
			<p><a href="../todolist.html">Todo List</a></p>
	</div>
      <b>Packages:</b><br />
              <a href="../li_PHPonTrax.html">PHPonTrax</a><br />
              <a href="../li_PHPonTraxTest.html">PHPonTraxTest</a><br />
            <br /><br />
		<b>Tutorials/Manuals:</b><br />
					<strong>Package-level:</strong>
							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_PHPonTrax.pkg.html">PHP On Trax</a>
<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_rails_examples.pkg.html">Examples From The Rails Book</a>
</ul>

<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_simpleapp.pkg.html">Build A Simple Trax Application</a>
</ul>

<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_database.pkg.html">Create A Database and User</a>
</ul>

<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_advbuild.pkg.html">Advanced Application Build Topics</a>
</ul>

<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_naming.pkg.html">The Trax Naming Convention</a>
</ul>

<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_troubleshoot.pkg.html">Troubleshooting</a>
</ul>

<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_reference.pkg.html">Reference</a>
</ul>

</li></ul>


										<strong>Class-level:</strong>
							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ActiveRecordHelper.cls.html">ActiveRecordHelper</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_FormTagHelper.cls.html">FormTagHelper</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_Helpers.cls.html">Helpers</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_UrlHelper.cls.html">UrlHelper</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_FormHelper.cls.html">FormHelper</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_InputFilter.cls.html">InputFilter</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ActionMailer.cls.html">ActionMailer</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ApplicationController.cls.html">ApplicationController</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ActionController.cls.html">ActionController</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ActiveRecord.cls.html">ActiveRecord</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_DateHelper.cls.html">DateHelper</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_Router.cls.html">Router</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_FormOptionsHelper.cls.html">FormOptionsHelper</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_TraxGenerator.cls.html">TraxGenerator</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_Session.cls.html">Session</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_Inflector.cls.html">Inflector</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ActiveRecordError.cls.html">ActiveRecordError</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ActionControllerError.cls.html">ActionControllerError</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ScaffoldController.cls.html">ScaffoldController</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_Dispatcher.cls.html">Dispatcher</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_TraxError.cls.html">TraxError</a>
</ul>


							<ul>
	<li type="square"><a href="../PHPonTrax/tutorial_ApplicationMailer.cls.html">ApplicationMailer</a>
</ul>


							                        <b>Files:</b><br />
      	  <div class="package">
			<a href="../PHPonTrax/_vendor_trax_action_controller_php.html">		action_controller.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_mailer_php.html">		action_mailer.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_php.html">		action_view.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_active_record_php.html">		active_record.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_active_record_helper_php.html">		active_record_helper.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_add_phtml.html">		add.phtml
		</a><br>
			<a href="../PHPonTrax/_data_app_controllers_application_php.html">		application.php
		</a><br>
			<a href="../PHPonTrax/_data_app_views_layouts_application_phtml.html">		application.phtml
		</a><br>
			<a href="../PHPonTrax/_data_app_helpers_application_helper_php.html">		application_helper.php
		</a><br>
			<a href="../PHPonTrax/_data_app_application_mailer_php.html">		application_mailer.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_asset_tag_helper_php.html">		asset_tag_helper.php
		</a><br>
			<a href="../PHPonTrax/_test_layouts_catalog_phtml.html">		catalog.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_controller_php.html">		controller.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_controller_php.html">		controller.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_date_helper_php.html">		date_helper.php
		</a><br>
			<a href="../PHPonTrax/_data_config_environments_development_php.html">		development.php
		</a><br>
			<a href="../PHPonTrax/_data_public_dispatch_php.html">		dispatch.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_dispatcher_php.html">		dispatcher.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_edit_phtml.html">		edit.phtml
		</a><br>
			<a href="../PHPonTrax/_data_config_environment_php.html">		environment.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_error_phtml.html">		error.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_form_helper_php.html">		form_helper.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_form_options_helper_php.html">		form_options_helper.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_form_scaffolding_phtml.html">		form_scaffolding.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_form_tag_helper_php.html">		form_tag_helper.php
		</a><br>
			<a href="../PHPonTrax/_data_script_generate_php.html">		generate.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_helper_php.html">		helper.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_php.html">		helpers.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_index_phtml.html">		index.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_inflector_php.html">		inflector.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_input_filter_php.html">		input_filter.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_javascript_helper_php.html">		javascript_helper.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_layout_phtml.html">		layout.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_layout_phtml.html">		layout.phtml
		</a><br>
			<a href="../PHPonTrax/_makepkg_php.html">		makepkg.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_model_php.html">		model.php
		</a><br>
			<a href="../PHPonTrax/_data_config_environments_production_php.html">		production.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_router_php.html">		router.php
		</a><br>
			<a href="../PHPonTrax/_data_config_routes_php.html">		routes.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_scaffold_controller_php.html">		scaffold_controller.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_session_php.html">		session.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_show_phtml.html">		show.phtml
		</a><br>
			<a href="../PHPonTrax/_data_config_environments_test_php.html">		test.php
		</a><br>
			<a href="../PHPonTrax/_trax_php.html">		trax.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_trax_exceptions_php.html">		trax_exceptions.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_trax_generator_php.html">		trax_generator.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_action_view_helpers_url_helper_php.html">		url_helper.php
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_view_phtml.html">		view.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_add_phtml.html">		view_add.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_edit_phtml.html">		view_edit.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_index_phtml.html">		view_index.phtml
		</a><br>
			<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_show_phtml.html">		view_show.phtml
		</a><br>
	  </div><br />

      
            <b>Classes:</b><br />
        <div class="package">
		    		<a href="../PHPonTrax/.html"></a><br />
	    		<a href="../PHPonTrax/ActionController.html">ActionController</a><br />
	    		<a href="../PHPonTrax/ActionControllerError.html">ActionControllerError</a><br />
	    		<a href="../PHPonTrax/ActionMailer.html">ActionMailer</a><br />
	    		<a href="../PHPonTrax/ActiveRecord.html">ActiveRecord</a><br />
	    		<a href="../PHPonTrax/ActiveRecordError.html">ActiveRecordError</a><br />
	    		<a href="../PHPonTrax/ActiveRecordHelper.html">ActiveRecordHelper</a><br />
	    		<a href="../PHPonTrax/ApplicationController.html">ApplicationController</a><br />
	    		<a href="../PHPonTrax/ApplicationMailer.html">ApplicationMailer</a><br />
	    		<a href="../PHPonTrax/AssetTagHelper.html">AssetTagHelper</a><br />
	    		<a href="../PHPonTrax/DateHelper.html">DateHelper</a><br />
	    		<a href="../PHPonTrax/Dispatcher.html">Dispatcher</a><br />
	    		<a href="../PHPonTrax/FormHelper.html">FormHelper</a><br />
	    		<a href="../PHPonTrax/FormOptionsHelper.html">FormOptionsHelper</a><br />
	    		<a href="../PHPonTrax/FormTagHelper.html">FormTagHelper</a><br />
	    		<a href="../PHPonTrax/Helpers.html">Helpers</a><br />
	    		<a href="../PHPonTrax/Inflector.html">Inflector</a><br />
	    		<a href="../PHPonTrax/InputFilter.html">InputFilter</a><br />
	    		<a href="../PHPonTrax/JavaScriptHelper.html">JavaScriptHelper</a><br />
	    		<a href="../PHPonTrax/Router.html">Router</a><br />
	    		<a href="../PHPonTrax/ScaffoldController.html">ScaffoldController</a><br />
	    		<a href="../PHPonTrax/Session.html">Session</a><br />
	    		<a href="../PHPonTrax/TraxError.html">TraxError</a><br />
	    		<a href="../PHPonTrax/TraxGenerator.html">TraxGenerator</a><br />
	    		<a href="../PHPonTrax/UrlHelper.html">UrlHelper</a><br />
	  </div>

                </td>
    <td>
      <table cellpadding="10" cellspacing="0" width="100%" border="0"><tr><td valign="top">

<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="10%" align="left" valign="bottom"><a href=
"../PHPonTrax/tutorial_FormHelper.cls.html">Prev</a></td>
<td width="80%" align="center" valign="bottom"></td>
<td width="10%" align="right" valign="bottom"><a href=
"../PHPonTrax/tutorial_ActionMailer.cls.html">Next</a></td>
</tr>
</table>
<div><a name=""></a><div class="ref-title-box">InputFilter<h1 class="ref-title">InputFilter</h1>
  <h2 class="ref-purpose">Protect Against Malicious SQL and HTML</h2></div>
 <div class="ref-synopsis"><span class="author">Walt Haas
   <div class="author-blurb"><a href="mailto:hide@address.com">hide@address.com</a></div></span></div>
 <h1 align="center">Table of Contents</h1>
<ul>

<a href="../PHPonTrax/tutorial_InputFilter.cls.html#intro">Introduction</a><br />

<a href="../PHPonTrax/tutorial_InputFilter.cls.html#safesql">safeSQL(): Protect SQL</a><br />

<a href="../PHPonTrax/tutorial_InputFilter.cls.html#process">process(): Protect Against HTML Tags and Attributes</a><br />

<a href="../PHPonTrax/tutorial_InputFilter.cls.html#process_all">process_all(): Protect Against HTML in Request Variables</a><br />
</ul>

 <span><a name="intro"></a><h2 class="title">Introduction</h2><p><a href="../PHPonTrax/InputFilter.html">InputFilter</a> is a
  <a href="http://en.wikipedia.org/wiki/Singleton_pattern">singleton</a>
  class (although not enforced by the constructor) with three public
  methods that are useful in protecting  a web site from potential
  security threats from user input.</p>
  <li><a href="../PHPonTrax/InputFilter.html#methodsafeSQL">InputFilter::safeSQL()</a> protects SQL from the
    user.</li> 
   <li><a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> protects HTML tags and
    attributes from the user.</li>
   <li><a href="../PHPonTrax/InputFilter.html#methodprocess_all">InputFilter::process_all()</a> applies
    process() to all possible sources of user input</li></span>
 <span><a name="safesql"></a><h2 class="title">safeSQL(): Protect SQL</h2><p>Web site security may be threatened by
  <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>
  if a user is allowed to input a query that is not properly screened.
  SQL statements are delimited by punctuation characters.  In
  particular, the beginning and end of the information being stored or
  searched for are delimited by quotes.  If a user is permitted to
  include unprotected quotes in their search, there is a danger that
  a malicious user might take advantage of this to inject unauthorized
  commands into the database.</p>

  <p>To protect against this attack, user information is examined
  for quotes and other characters that might be used in an attack, and
  every such character is <strong>escaped</strong> by prefixing
  the character with a backslash ('\').  The backslash tells the
  database to treat the following character as data, not a
  command.</p>

  <p><a href="../PHPonTrax/InputFilter.html#methodsafeSQL">InputFilter::safeSQL()</a> may be called as a static
  method to screen character strings for threatening characters and
  apply the protective backslashes.  An open MySQL connection resource
  is needed to establish the appropriate character set.  For
  example:</p> 

  <pre class="example">$rs = mysql_connect('hostname', 'username', 'password');
$unsafe = &quot;search term'; drop database employees;&quot;;
$protected = InputFilter::safeSQL($unsafe,$rs);
// $protected contains &quot;search term\'; drop database employees;&quot;</pre></span>
 <span><a name="process"></a><h2 class="title">process(): Protect Against HTML Tags and Attributes</h2><p><a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> eliminates potentially
  dangerous HTML tags and attributes from its input.  There are
  internal lists of
  <a href="../PHPonTrax/InputFilter.html#var$tagBlacklist">blacklisted tags</a> and
  <a href="../PHPonTrax/InputFilter.html#var$attrBlacklist">blacklisted attributes</a> than can
  optionally be removed from the input.  The constructor also accepts
  lists of forbidden tags and attributes and allows the listed names
  to be removed, or alternatively to be the only names
  accepted.</p>

  <p>To use this method, you must construct an object of the
  InputFilter class, with optional behavior specified in the
  constructor call. The options are stored as static attributes of the
  constructed object, so any reference to an object of the class will
  use the attributes in the most recent object.  Therefore it makes
  code more readable to use static calls. For example:</p>

  <pre class="example">@new InputFilter();
$output_string = InputFilter::process($input_string);</pre>

  <p>The default constructor, as above, rejects all tags and
  attributes, returning only the text between tags.  You can construct
  an object which rejects only the blacklisted tags and attributes as
  follows:</p>

  <pre class="example">@new InputFilter(array(),array(),1,1,1);</pre>

  <p>You would probably be more secure if you listed what you know
  to be safe, instead of trying to think of everything that might
  be a threat:</p>
  <pre class="example">@new InputFilter(array('div','span','strong','em'),
                 array('id','class'),0,0,0);</pre></span>
 <span><a name="process_all"></a><h2 class="title">process_all(): Protect Against HTML in Request Variables</h2><p><a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> eliminates potentially
  dangerous HTML tags and attributes from the predefined globals
  <a href="http://www.php.net/reserved.variables#reserved.variables.post">$_POST</a>,
  <a href="http://www.php.net/reserved.variables#reserved.variables.get">$_GET</a>
  and
 <a href="http://www.php.net/reserved.variables#reserved.variables.request">$_REQUEST</a>.
  Call the method statically, as InputFilter::process_all() with the same
  arguments as used by <a href="../PHPonTrax/InputFilter.html#method__construct">the constructor</a>.
  A new object will be constructed with these options and then
  InputFilter::process() will be called on each of $_GET, $_POST and
  $_REQUEST.  The options in the call to process_all() are stored as
  static attributes of the new object, so they will be used on any calls to
  <a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> until another object is
  constructed.</p></span></div>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="../PHPonTrax/tutorial_FormHelper.cls.html">Prev</a></td>
<td width="34%" align="center" valign="top">&nbsp;</td>
<td width="33%" align="right" valign="top"><a href=
"../PHPonTrax/tutorial_ActionMailer.cls.html">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">FormHelper</td>
<td width="34%" align="center" valign="top"></td>
<td width="33%" align="right" valign="top">ActionMailer</td>
</tr>
</table>
        <div class="credit">
		    <hr />
		    Documentation generated on Thu, 04 May 2006 19:46:55 -0600 by <a href="http://www.phpdoc.org">phpDocumentor 1.3.0RC4</a>
	      </div>
      </td></tr></table>
    </td>
  </tr>
</table>

</body>
</html>
Return current item: PHP on Trax