Apparent user-content filtering in PHP
June 1, 2008 – 9:06 pmThe following fellow is a tard.
http://www.soaptray.com/2008/04/filtering-user-input-in-php/
How I start to loathe StumbleUpon and, worse, the people that promote their own blogpost thinking they’ve actually produced something awesome. I’m not going to go into it anymore, instead I’ll copypasta the comment I posted on there:
I have some critical comments @ your code. First off, why do you write a Filter class that doesn’t have any actual class-level methods? The methods are all plain, static methods, and should either be declared static (so you can do filter::whitespace($string) etc), or be left out of a class declaration altogether (Which is a bit faster than declaring static methods).
Second, your methods make little sense. For the methods you posted, there’s regular PHP functions already there.
Your first one:
// Removes all whitespace from a string
function whitespace($str){
$str = preg_replace(’/\s\s+/’,’ ‘, $str);
return $str;
}
can, firstly, be rephrased as
function whitespace($str){
return preg_replace(’/\s\s+/’,’ ‘, $str);
}
and, secondly, there’s a trim() function in the standard PHP library that removes all whitespace in front and behind a string. Don’t re-invent the wheel, instead read up on PHP’s APIs etc.
// Removes characters not valid in an e-mail address
function email($email){
$email = preg_replace(’/[^a-z0-9+_.@-]/i’,”,$email);
$email = strtolower($email);
return $email;
}
can be re-written as
// Removes characters not valid in an e-mail address
function email($email){
return strtolower(preg_replace(’/[^a-z0-9+_.@-]/i’,”,$email));
}
and second, I’d make it an e-mail validation instead of removing invalid characters.
Your next function:
// Removes tags, whitespace
function text($str){
// Ensure it’s a string
$str = strval($str);
// We strip all html tags
$str = strip_tags($str);
// Remove any whitespace using
// the define method above
$str = $this->whitespace($str);
return $str;
}
firstly has no logical name - what does a function ‘text’ do? Second, I wouldn’t reccomend using the strip_tags function - pass it a string like “I pwn noobs like < and etc” - the < and everything behind it will be deleted. Or at least it did a few years ago when I last used it. Second, it’s kinda unneeded, since you can just call strip_tags(trim($str)); in your code.
The final method makes no sense whatsoever.
// Return the input as an integer
function integer($int){
$int = intval($int);
return $int;
}
You’re basically just calling intval, so why make a second method that calls intval again? Just call intval() right off in your example code and be done with it.
Also, the above methods WILL NOT prevent XSS attacks, which means that either you can’t be arsed to write an article that properly addresses the subject, or you have no clue what XSS is and, more importantly, how to prevent it.
2 Responses to “Apparent user-content filtering in PHP”
lots of low-hanging fruit in the php world, huh? you could get a lot of blog posts out of this premise.
By jimbo on Jun 8, 2008
Aye, pointing out other people’s mistakes can be a full-time job, if I want to. In fact, I’m sure that other people’s mistakes / misinterpretations can be a never-ending source of posts. Which is quite sad, =(.
By admin on Jun 9, 2008