views:

164

answers:

2

I'm using the following to clean up input from my contact form:

<?php
$name = strip_tags(stripslashes($_POST['name']));
//this is repeated for several other fields, then:

if(isInjected($name)) { die(); }
/* see isInjected function below */

// send the mail
?>

I'm using this function:

<?php
    /* function from http://phpsense.com/php/php-mail.html */
    function isInjected($str) {
        $injections = array('(\n+)',
        '(\r+)',
        '(\t+)',
        '(%0A+)',
        '(%0D+)',
        '(%08+)',
        '(%09+)'
        );
        $inject = join('|', $injections);
        $inject = "/$inject/i";
        if(preg_match($inject,$str)) {
         return true;
        }
        else {
         return false;
        }
    }
?>

Is this sufficient to clean up my contact form?

thanks.

+1  A: 

As a side note that code is a little bloated. It can be trimmed down quite easily:

/* function from http://phpsense.com/php/php-mail.html */
function isInjected($str) {
    $inject = "/(\r|\t|%0A|%0D|%08|%09)+/i";
    return (preg_match($inject, $str) > 0);
}
cballou
very nice, thanks.
Met
Why the paranthesis around `(preg_match($inject, $str) > 0)`? :)
chelmertz
Just a personal preference of mine. It probably stems from when I use the ternary operator to determine a function param or inside of a concatted string and the parens are needed.
cballou
A: 

It seems prettey decent and better than average inputvalidation. Personanlly I also prefer handling inputtypes. In my basecontroller I have several functions to check wether input is a valid date of birth, emailaddress, etc. If you add such validation to your existing validation you're handling it well IMO.

Ben Fransen