PHP 输入 GET 变量清理

Question

For my application, written in PHP 5+, I have a common.php which is included from all other pages. Within that I have an include sanitize.php which aims to sanitise any input vars used in the URL. So, targetting $_GET[] values.

This is just to have one place where I can tidy any vars, if used, and use them in the code later.

There seems to be no tidy way, I've seen, to sanitise based on expected/desired inputs. The method I initially looked at was this sanitize.php having a foreach to loop through any vars, lookup the type of sanitization required, and then add the cleaned vars to a separate array for use within my code.

Instead of using PHP sanitization filters, to keep it standard, I thought I'd use regex. Types I want are alphaonly , alphanumeric , email , password . Although "password" would allow some special chars, I want to remove or even escape potentially "hazardous" ones like ' " to then be included into a mysql DB. We have a european userbase so different locales are possible, but I'm hoping that won't be too much of an issue.

Would this be a "good" solution to start from, or am I trying to reinvent the wheel?

Random Page

/mypage.php?c=userid&p=lkasjdlakjsdlakj&z=....
(use SANITIZED_SAFE_INPUT_VARS variable only)

sanitize.php

var aryAllowedGetParamNames = array(
    "c" => "alphaonly",         //login
    "p" => "alphaemail",        //password
    "e" => "email"              //email
    //...
);

var sanitizeTypes = array (
    "alphaonly" => "[a-zA-Z]",
    "alphanumeric" => "[a-zA-Z0-9]",
    "email" => "[a-zA-Z0-9]...etc"
);

var SANITIZED_SAFE_INPUT_VARS = array();

foreach ($_GET as $key => $value) { 
    //apply regex and add value to SANITIZED_SAFE_INPUT_VARS 
}

EDIT

There seems to be some opinion about the use of passwords in the URL. I'll explain in a little more detail. Instead of using a POST login prompt with username and password, I am using an ajax async call to _db_tryLogin.php with parameters for userid and password. The username is ALWAYS a 6-ALPHA-only text string, and the password is an md5 of what was typed. I'm aware of the opinions on MD5 not being "safe enough".

The JS currently MD5s the password and sends that to the _db_tryLogin.php .

-> async : _db_login.php?c=ABCDEF&p=SLKDauwfLKASFUWPOjkjafkKoAWOIFHF2733287

This will return an async response of "1" or "0". Both will cause the page to refresh, but if the _db_tryLogin.php page detects the password and userid matches one DB record, then session variables are set and the site knows the user is logged in.

I used MD5 for the async request just to quickly hash the password so it's not transmitted in plaintext.

The _db_tryLogin.php takes the password, which is md5(plainpass) adds a SALT and MD5s again, and then this is what is compared against the usertable in the DB.

DB password stored = md5(SALT.md5(plainpass))

Answer 1

What are you sanitising against? If you're [only] trying to protect your SQL database you're doing it wrong, and should be looking into Prepared Statements .

USER SUBMITTED DATA SHOULD NEVER BE TRUSTED. Accepted, yes, trusted - No.

Rather than going through a long tedious process of allowing certain chararacters, simply disallow (ie remove) characters you don't want to accept, such as non-alphanumeric or backtick characters etc. It may also save you a lot of efforts to use the PHP strip_tags() function.

1) Create your function in your include file. I would recommend creating it in an abstract Static Class , but that's a little beyond the scope of this answer.

2) Within this function/class method add your definitions for what bad characters you're looking for, and the data that these checks would apply to. You seem to have a good idea of your logic process, but be aware that there is no definitively correct code answer, as each programmers' needs from a string are different.

3) using the criteria defined in (2) you can then use the Regex to remove non-valid characters to return a "safe" set of variables.

example:

   // Remove backtick, single and double quotes from a variable.  
   // using PCRE Regex.
   $data = preg_relace("/[`"']/","",$data);

4) Use the PHP function strip_tags() to do just that and remove HTML and PHP code from a string.

5) For email validation use the PHP $email = filter_var($data, FILTER_SANITIZE_EMAIL); function, it will be far better than your own simple regex. Use PHP Filter Validations they are intended exactly for your sort of situation.

6) NEVER trust the output data, even if it passes all the checks and regexes you can give it, something may still get through. ALWAYS be VERY wary of user submitted data. NEVER trust it.

7) Use Prepared Statements for your SQL interactions.

8) As a shortcut for number types (int / float) you can use PHP type-casting to force a given varibles to being a certain type and destroying any chance of it being anything else:

$number = $_GET['number']; //can be anything.
$number = (int)$_GET['number']; //must be an integer or zero.

Notes:

• Passwords should not be az only, but should be as many characters as you are able to choose from, the more the better.

• If the efforts you are actioning here are for the case of protecting database security and integrity, you're doing it wrong, and should be using Prepared Statements for your MySQL interactions.

• Stop using var to declare variables as this is from PHP4 and is VERY old , it is far better to use the Variable preconditional $ (such as $variable = true; ) .

• You state:

  We have a european userbase so different locales are possible

  To which I would highly recommend exploring PHP mb_string functions because natively PHP is not mutlibyte safe.

Answer 2

I would to start just regex each variable , apply null if it doesn't match the requirements. Either test what it SHOULD have only, or what it shouldn't have, whichever is smaller:

$safeValue = (preg_match('/^[a-zA-Z0-9]{0,5}$/',$value) ? $value : "");

ALONG with prepared statements with parameter input aka

$query = "SELECT x FROM table WHERE id=?";
bind_param("si",$var,$var)

PHP also comes in with built filters, such as email and others). Example: filter_var($data, FILTER_SANITIZE_EMAIL)

http://php.net/manual/en/filter.filters.sanitize.php