Xaraya PHP Cross Reference Web Portal Systems

Source: /modules/netquery/xarincludes/sanitize.inc.php - 168 lines - 6184 bytes - Summary - Text - Print

   1  <?php
   2  ///////////////////////////////////////

   3  // sanitize.inc.php

   4  // Sanitization functions for PHP

   5  // by: Gavin Zuchlinski, Jamie Pratt, Hokkaido

   6  // webpage: http://libox.net

   7  // Last modified: September 27, 2003

   8  //

   9  // Many thanks to those on the webappsec list for helping me improve these functions

  10  ///////////////////////////////////////

  11  // Function list:

  12  // sanitize_paranoid_string($string) -- input string, returns string stripped of all non 

  13  //           alphanumeric

  14  // sanitize_system_string($string) -- input string, returns string stripped of special

  15  //           characters

  16  // sanitize_sql_string($string) -- input string, returns string with slashed out quotes

  17  // sanitize_html_string($string) -- input string, returns string with html replacements

  18  //           for special characters

  19  // sanitize_int($integer) -- input integer, returns ONLY the integer (no extraneous 

  20  //           characters

  21  // sanitize_float($float) -- input float, returns ONLY the float (no extraneous 

  22  //           characters)

  23  // sanitize($input, $flags) -- input any variable, performs sanitization 

  24  //           functions specified in flags. flags can be bitwise 

  25  //           combination of PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP, 

  26  //           UTF8

  27  ///////////////////////////////////////

  28  if (!defined('PARANOID')) define("PARANOID", 1);
  29  if (!defined('SQL')) define("SQL", 2);
  30  if (!defined('SYSTEM')) define("SYSTEM", 4);
  31  if (!defined('HTML')) define("HTML", 8);
  32  if (!defined('INT')) define("INT", 16);
  33  if (!defined('FLOAT')) define("FLOAT", 32);
  34  if (!defined('LDAP')) define("LDAP", 64);
  35  if (!defined('UTF8')) define("UTF8", 128);
  36  
  37  // internal function for utf8 decoding

  38  // thanks to Jamie Pratt for noticing that PHP's function is a little 

  39  // screwy

  40  function my_utf8_decode($string)
  41  {
  42  return strtr($string, 
  43    "???????", 
  44    "SOZsozYYuAAAAAAACEEEEIIIIDNOOOOOOUUUUYsaaaaaaaceeeeiiiionoooooouuuuyy");
  45  }
  46  
  47  // paranoid sanitization -- only let the alphanumeric set through

  48  function sanitize_paranoid_string($string, $min='', $max='')
  49  {
  50    $string = preg_replace("/[^a-zA-Z0-9]/", "", $string);
  51    $len = strlen($string);
  52    if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
  53      return FALSE;
  54    return $string;
  55  }
  56  
  57  // sanitize a string in prep for passing a single argument to system() (or similar)

  58  function sanitize_system_string($string, $min='', $max='')
  59  {
  60    $pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // no piping, passing possible environment variables ($),

  61                             // seperate commands, nested execution, file redirection, 

  62                             // background processing, special commands (backspace, etc.), quotes

  63                             // newlines, or some other special characters

  64    $string = preg_replace($pattern, '', $string);
  65    $string = '"'.preg_replace('/\$/', '\\\$', $string).'"'; //make sure this is only interpretted as ONE argument

  66    $len = strlen($string);
  67    if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
  68      return FALSE;
  69    return $string;
  70  }
  71  
  72  // sanitize a string for SQL input (simple slash out quotes and slashes)

  73  function sanitize_sql_string($string, $min='', $max='')
  74  {
  75    $pattern[0] = '/(\\\\)/';
  76    $pattern[1] = "/\"/";
  77    $pattern[2] = "/'/";
  78    $replacement[0] = '\\\\\\';
  79    $replacement[1] = '\"';
  80    $replacement[2] = "\\'";
  81    $len = strlen($string);
  82    if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
  83      return FALSE;
  84    return preg_replace($pattern, $replacement, $string);
  85  }
  86  
  87  // sanitize a string for SQL input (simple slash out quotes and slashes)

  88  function sanitize_ldap_string($string, $min='', $max='')
  89  {
  90    $pattern = '/(\)|\(|\||&)/';
  91    $len = strlen($string);
  92    if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
  93      return FALSE;
  94    return preg_replace($pattern, '', $string);
  95  }
  96  
  97  
  98  // sanitize a string for HTML (make sure nothing gets interpretted!)

  99  function sanitize_html_string($string)
 100  {
 101    $pattern[0] = '/\&/';
 102    $pattern[1] = '/</';
 103    $pattern[2] = "/>/";
 104    $pattern[3] = '/\n/';
 105    $pattern[4] = '/"/';
 106    $pattern[5] = "/'/";
 107    $pattern[6] = "/%/";
 108    $pattern[7] = '/\(/';
 109    $pattern[8] = '/\)/';
 110    $pattern[9] = '/\+/';
 111    $pattern[10] = '/-/';
 112    $replacement[0] = '&amp;';
 113    $replacement[1] = '&lt;';
 114    $replacement[2] = '&gt;';
 115    $replacement[3] = '<br>';
 116    $replacement[4] = '&quot;';
 117    $replacement[5] = '&#39;';
 118    $replacement[6] = '&#37;';
 119    $replacement[7] = '&#40;';
 120    $replacement[8] = '&#41;';
 121    $replacement[9] = '&#43;';
 122    $replacement[10] = '&#45;';
 123    return preg_replace($pattern, $replacement, $string);
 124  }
 125  
 126  // make int int!

 127  function sanitize_int($integer, $min='', $max='')
 128  {
 129    $int = intval($integer);
 130    if((($min != '') && ($int < $min)) || (($max != '') && ($int > $max)))
 131      return FALSE;
 132    return $int;
 133  }
 134  
 135  // make float float!

 136  function sanitize_float($float, $min='', $max='')
 137  {
 138    $float = floatval($float);
 139    if((($min != '') && ($float < $min)) || (($max != '') && ($float > $max)))
 140      return FALSE;
 141    return $float;
 142  }
 143  
 144  // glue together all the other functions

 145  function sanitize($input, $flags, $min='', $max='')
 146  {
 147    if($flags & UTF8) $input = my_utf8_decode($input);
 148    if($flags & PARANOID) $input = sanitize_paranoid_string($input, $min, $max);
 149    if($flags & INT) $input = sanitize_int($input, $min, $max);
 150    if($flags & FLOAT) $input = sanitize_float($input, $min, $max);
 151    if($flags & HTML) $input = sanitize_html_string($input, $min, $max);
 152    if($flags & SQL) $input = sanitize_sql_string($input, $min, $max);
 153    if($flags & LDAP) $input = sanitize_ldap_string($input, $min, $max);
 154    if($flags & SYSTEM) $input = sanitize_system_string($input, $min, $max);
 155    return $input;
 156  }
 157  
 158  // CMS API function added by RV. 

 159  function netquery_userapi_sanitize($args)
 160  {
 161    extract($args);
 162    if (!isset($input)) return;
 163    if (!isset($flags)) $flags = 'PARANOID';
 164    if (!isset($min)) $min = '';
 165    if (!isset($max)) $max = '';
 166    return sanitize($input, $flags, $min, $max);
 167  }
 168  ?>

title

Description

title

Description

title

Description

title

title

Body