<html>
<head>
<title>InputFilter</title>
<link rel="stylesheet" type="text/css" href="../media/style.css">
</head>
<body>
<table border="0" cellspacing="0" cellpadding="0" height="48" width="100%">
<tr>
<td class="header_top">PHPonTrax</td>
</tr>
<tr><td class="header_line"><img src="../media/empty.png" width="1" height="1" border="0" alt="" /></td></tr>
<tr>
<td class="header_menu">
[ <a href="../classtrees_PHPonTrax.html" class="menu">class tree: PHPonTrax</a> ]
[ <a href="../elementindex_PHPonTrax.html" class="menu">index: PHPonTrax</a> ]
[ <a href="../elementindex.html" class="menu">all elements</a> ]
</td>
</tr>
<tr><td class="header_line"><img src="../media/empty.png" width="1" height="1" border="0" alt="" /></td></tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr valign="top">
<td width="200" class="menu">
<div id="todolist">
<p><a href="../todolist.html">Todo List</a></p>
</div>
<b>Packages:</b><br />
<a href="../li_PHPonTrax.html">PHPonTrax</a><br />
<a href="../li_PHPonTraxTest.html">PHPonTraxTest</a><br />
<br /><br />
<b>Tutorials/Manuals:</b><br />
<strong>Package-level:</strong>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_PHPonTrax.pkg.html">PHP On Trax</a>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_rails_examples.pkg.html">Examples From The Rails Book</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_simpleapp.pkg.html">Build A Simple Trax Application</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_database.pkg.html">Create A Database and User</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_advbuild.pkg.html">Advanced Application Build Topics</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_naming.pkg.html">The Trax Naming Convention</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_troubleshoot.pkg.html">Troubleshooting</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_reference.pkg.html">Reference</a>
</ul>
</li></ul>
<strong>Class-level:</strong>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ActiveRecordHelper.cls.html">ActiveRecordHelper</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_FormTagHelper.cls.html">FormTagHelper</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_Helpers.cls.html">Helpers</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_UrlHelper.cls.html">UrlHelper</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_FormHelper.cls.html">FormHelper</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_InputFilter.cls.html">InputFilter</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ActionMailer.cls.html">ActionMailer</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ApplicationController.cls.html">ApplicationController</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ActionController.cls.html">ActionController</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ActiveRecord.cls.html">ActiveRecord</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_DateHelper.cls.html">DateHelper</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_Router.cls.html">Router</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_FormOptionsHelper.cls.html">FormOptionsHelper</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_TraxGenerator.cls.html">TraxGenerator</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_Session.cls.html">Session</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_Inflector.cls.html">Inflector</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ActiveRecordError.cls.html">ActiveRecordError</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ActionControllerError.cls.html">ActionControllerError</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ScaffoldController.cls.html">ScaffoldController</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_Dispatcher.cls.html">Dispatcher</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_TraxError.cls.html">TraxError</a>
</ul>
<ul>
<li type="square"><a href="../PHPonTrax/tutorial_ApplicationMailer.cls.html">ApplicationMailer</a>
</ul>
<b>Files:</b><br />
<div class="package">
<a href="../PHPonTrax/_vendor_trax_action_controller_php.html"> action_controller.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_mailer_php.html"> action_mailer.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_php.html"> action_view.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_active_record_php.html"> active_record.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_active_record_helper_php.html"> active_record_helper.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_add_phtml.html"> add.phtml
</a><br>
<a href="../PHPonTrax/_data_app_controllers_application_php.html"> application.php
</a><br>
<a href="../PHPonTrax/_data_app_views_layouts_application_phtml.html"> application.phtml
</a><br>
<a href="../PHPonTrax/_data_app_helpers_application_helper_php.html"> application_helper.php
</a><br>
<a href="../PHPonTrax/_data_app_application_mailer_php.html"> application_mailer.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_asset_tag_helper_php.html"> asset_tag_helper.php
</a><br>
<a href="../PHPonTrax/_test_layouts_catalog_phtml.html"> catalog.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_controller_php.html"> controller.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_controller_php.html"> controller.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_date_helper_php.html"> date_helper.php
</a><br>
<a href="../PHPonTrax/_data_config_environments_development_php.html"> development.php
</a><br>
<a href="../PHPonTrax/_data_public_dispatch_php.html"> dispatch.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_dispatcher_php.html"> dispatcher.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_edit_phtml.html"> edit.phtml
</a><br>
<a href="../PHPonTrax/_data_config_environment_php.html"> environment.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_error_phtml.html"> error.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_form_helper_php.html"> form_helper.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_form_options_helper_php.html"> form_options_helper.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_form_scaffolding_phtml.html"> form_scaffolding.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_form_tag_helper_php.html"> form_tag_helper.php
</a><br>
<a href="../PHPonTrax/_data_script_generate_php.html"> generate.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_helper_php.html"> helper.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_php.html"> helpers.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_index_phtml.html"> index.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_inflector_php.html"> inflector.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_input_filter_php.html"> input_filter.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_javascript_helper_php.html"> javascript_helper.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_layout_phtml.html"> layout.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_layout_phtml.html"> layout.phtml
</a><br>
<a href="../PHPonTrax/_makepkg_php.html"> makepkg.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_model_php.html"> model.php
</a><br>
<a href="../PHPonTrax/_data_config_environments_production_php.html"> production.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_router_php.html"> router.php
</a><br>
<a href="../PHPonTrax/_data_config_routes_php.html"> routes.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_scaffold_controller_php.html"> scaffold_controller.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_session_php.html"> session.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_show_phtml.html"> show.phtml
</a><br>
<a href="../PHPonTrax/_data_config_environments_test_php.html"> test.php
</a><br>
<a href="../PHPonTrax/_trax_php.html"> trax.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_trax_exceptions_php.html"> trax_exceptions.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_trax_generator_php.html"> trax_generator.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_action_view_helpers_url_helper_php.html"> url_helper.php
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_view_phtml.html"> view.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_add_phtml.html"> view_add.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_edit_phtml.html"> view_edit.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_index_phtml.html"> view_index.phtml
</a><br>
<a href="../PHPonTrax/_vendor_trax_templates_scaffolds_generator_templates_view_show_phtml.html"> view_show.phtml
</a><br>
</div><br />
<b>Classes:</b><br />
<div class="package">
<a href="../PHPonTrax/.html"></a><br />
<a href="../PHPonTrax/ActionController.html">ActionController</a><br />
<a href="../PHPonTrax/ActionControllerError.html">ActionControllerError</a><br />
<a href="../PHPonTrax/ActionMailer.html">ActionMailer</a><br />
<a href="../PHPonTrax/ActiveRecord.html">ActiveRecord</a><br />
<a href="../PHPonTrax/ActiveRecordError.html">ActiveRecordError</a><br />
<a href="../PHPonTrax/ActiveRecordHelper.html">ActiveRecordHelper</a><br />
<a href="../PHPonTrax/ApplicationController.html">ApplicationController</a><br />
<a href="../PHPonTrax/ApplicationMailer.html">ApplicationMailer</a><br />
<a href="../PHPonTrax/AssetTagHelper.html">AssetTagHelper</a><br />
<a href="../PHPonTrax/DateHelper.html">DateHelper</a><br />
<a href="../PHPonTrax/Dispatcher.html">Dispatcher</a><br />
<a href="../PHPonTrax/FormHelper.html">FormHelper</a><br />
<a href="../PHPonTrax/FormOptionsHelper.html">FormOptionsHelper</a><br />
<a href="../PHPonTrax/FormTagHelper.html">FormTagHelper</a><br />
<a href="../PHPonTrax/Helpers.html">Helpers</a><br />
<a href="../PHPonTrax/Inflector.html">Inflector</a><br />
<a href="../PHPonTrax/InputFilter.html">InputFilter</a><br />
<a href="../PHPonTrax/JavaScriptHelper.html">JavaScriptHelper</a><br />
<a href="../PHPonTrax/Router.html">Router</a><br />
<a href="../PHPonTrax/ScaffoldController.html">ScaffoldController</a><br />
<a href="../PHPonTrax/Session.html">Session</a><br />
<a href="../PHPonTrax/TraxError.html">TraxError</a><br />
<a href="../PHPonTrax/TraxGenerator.html">TraxGenerator</a><br />
<a href="../PHPonTrax/UrlHelper.html">UrlHelper</a><br />
</div>
</td>
<td>
<table cellpadding="10" cellspacing="0" width="100%" border="0"><tr><td valign="top">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="10%" align="left" valign="bottom"><a href=
"../PHPonTrax/tutorial_FormHelper.cls.html">Prev</a></td>
<td width="80%" align="center" valign="bottom"></td>
<td width="10%" align="right" valign="bottom"><a href=
"../PHPonTrax/tutorial_ActionMailer.cls.html">Next</a></td>
</tr>
</table>
<div><a name=""></a><div class="ref-title-box">InputFilter<h1 class="ref-title">InputFilter</h1>
<h2 class="ref-purpose">Protect Against Malicious SQL and HTML</h2></div>
<div class="ref-synopsis"><span class="author">Walt Haas
<div class="author-blurb"><a href="mailto:hide@address.com">hide@address.com</a></div></span></div>
<h1 align="center">Table of Contents</h1>
<ul>
<a href="../PHPonTrax/tutorial_InputFilter.cls.html#intro">Introduction</a><br />
<a href="../PHPonTrax/tutorial_InputFilter.cls.html#safesql">safeSQL(): Protect SQL</a><br />
<a href="../PHPonTrax/tutorial_InputFilter.cls.html#process">process(): Protect Against HTML Tags and Attributes</a><br />
<a href="../PHPonTrax/tutorial_InputFilter.cls.html#process_all">process_all(): Protect Against HTML in Request Variables</a><br />
</ul>
<span><a name="intro"></a><h2 class="title">Introduction</h2><p><a href="../PHPonTrax/InputFilter.html">InputFilter</a> is a
<a href="http://en.wikipedia.org/wiki/Singleton_pattern">singleton</a>
class (although not enforced by the constructor) with three public
methods that are useful in protecting a web site from potential
security threats from user input.</p>
<li><a href="../PHPonTrax/InputFilter.html#methodsafeSQL">InputFilter::safeSQL()</a> protects SQL from the
user.</li>
<li><a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> protects HTML tags and
attributes from the user.</li>
<li><a href="../PHPonTrax/InputFilter.html#methodprocess_all">InputFilter::process_all()</a> applies
process() to all possible sources of user input</li></span>
<span><a name="safesql"></a><h2 class="title">safeSQL(): Protect SQL</h2><p>Web site security may be threatened by
<a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>
if a user is allowed to input a query that is not properly screened.
SQL statements are delimited by punctuation characters. In
particular, the beginning and end of the information being stored or
searched for are delimited by quotes. If a user is permitted to
include unprotected quotes in their search, there is a danger that
a malicious user might take advantage of this to inject unauthorized
commands into the database.</p>
<p>To protect against this attack, user information is examined
for quotes and other characters that might be used in an attack, and
every such character is <strong>escaped</strong> by prefixing
the character with a backslash ('\'). The backslash tells the
database to treat the following character as data, not a
command.</p>
<p><a href="../PHPonTrax/InputFilter.html#methodsafeSQL">InputFilter::safeSQL()</a> may be called as a static
method to screen character strings for threatening characters and
apply the protective backslashes. An open MySQL connection resource
is needed to establish the appropriate character set. For
example:</p>
<pre class="example">$rs = mysql_connect('hostname', 'username', 'password');
$unsafe = "search term'; drop database employees;";
$protected = InputFilter::safeSQL($unsafe,$rs);
// $protected contains "search term\'; drop database employees;"</pre></span>
<span><a name="process"></a><h2 class="title">process(): Protect Against HTML Tags and Attributes</h2><p><a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> eliminates potentially
dangerous HTML tags and attributes from its input. There are
internal lists of
<a href="../PHPonTrax/InputFilter.html#var$tagBlacklist">blacklisted tags</a> and
<a href="../PHPonTrax/InputFilter.html#var$attrBlacklist">blacklisted attributes</a> than can
optionally be removed from the input. The constructor also accepts
lists of forbidden tags and attributes and allows the listed names
to be removed, or alternatively to be the only names
accepted.</p>
<p>To use this method, you must construct an object of the
InputFilter class, with optional behavior specified in the
constructor call. The options are stored as static attributes of the
constructed object, so any reference to an object of the class will
use the attributes in the most recent object. Therefore it makes
code more readable to use static calls. For example:</p>
<pre class="example">@new InputFilter();
$output_string = InputFilter::process($input_string);</pre>
<p>The default constructor, as above, rejects all tags and
attributes, returning only the text between tags. You can construct
an object which rejects only the blacklisted tags and attributes as
follows:</p>
<pre class="example">@new InputFilter(array(),array(),1,1,1);</pre>
<p>You would probably be more secure if you listed what you know
to be safe, instead of trying to think of everything that might
be a threat:</p>
<pre class="example">@new InputFilter(array('div','span','strong','em'),
array('id','class'),0,0,0);</pre></span>
<span><a name="process_all"></a><h2 class="title">process_all(): Protect Against HTML in Request Variables</h2><p><a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> eliminates potentially
dangerous HTML tags and attributes from the predefined globals
<a href="http://www.php.net/reserved.variables#reserved.variables.post">$_POST</a>,
<a href="http://www.php.net/reserved.variables#reserved.variables.get">$_GET</a>
and
<a href="http://www.php.net/reserved.variables#reserved.variables.request">$_REQUEST</a>.
Call the method statically, as InputFilter::process_all() with the same
arguments as used by <a href="../PHPonTrax/InputFilter.html#method__construct">the constructor</a>.
A new object will be constructed with these options and then
InputFilter::process() will be called on each of $_GET, $_POST and
$_REQUEST. The options in the call to process_all() are stored as
static attributes of the new object, so they will be used on any calls to
<a href="../PHPonTrax/InputFilter.html#methodprocess">InputFilter::process()</a> until another object is
constructed.</p></span></div>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="../PHPonTrax/tutorial_FormHelper.cls.html">Prev</a></td>
<td width="34%" align="center" valign="top"> </td>
<td width="33%" align="right" valign="top"><a href=
"../PHPonTrax/tutorial_ActionMailer.cls.html">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top">FormHelper</td>
<td width="34%" align="center" valign="top"></td>
<td width="33%" align="right" valign="top">ActionMailer</td>
</tr>
</table>
<div class="credit">
<hr />
Documentation generated on Thu, 04 May 2006 19:46:55 -0600 by <a href="http://www.phpdoc.org">phpDocumentor 1.3.0RC4</a>
</div>
</td></tr></table>
</td>
</tr>
</table>
</body>
</html>