'Disinfect' User input - php

[scifind]

Just wondering what methods are commoly used to 'cleanse' free text input from users to combat insertion of malicious code etc.

[BFG 9000]

I use this :-

PHP Code:

function veryClean($string, $min='', $max='')
{
  $string = preg_replace("/[^a-zA-Z0-9]/", "", $string);
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return $string;
} 


TTFN

BFG

[Swiss]

I normally just run input through htmlentities()

[markschok]

I use a javascript that verifies each or as many of the form elements I want.
It does it by checking the form text box when it looses focus and checks the text against a list of banned words terms. It was originaly written to stop any swearies being used but stops code too. It pops up a warning if it finds any and takes the user back to the box they've just filled so the user will know you're preventing any shennanigans. If they sneak something past I haven't accounted for then a php cleaner could double check before pocessing. Remember PHP has a built in stripHTML command that you could use if you want to stop them posting tags.

[dmorison]

Hey BFG;

A little modification to your reg_exp and you can do the length verifcation as well...

PHP Code:

<?php
  // regular expressions to test for various input formats and database types
  $tests["varchar_1_255"] = "^[0-9a-zA-Z[:punct:] ]{1,255}$";
  $tests["ip_address"] = "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$";

  function validate($text,$test)
  {
    return ereg($test,$text);
  }

  $text = "Check this!";

  if (!validate($text,$tests["varchar_1_255"]))
  {
    print "Invalid entry!";
  }
?>

Of course, regardless of any client or server side form validation you must always use a function like mysql_escape_string() when using any untrusted input in the construction of an SQL statement.