views:

411

answers:

4

What are some good PHP html (input) sanitizers?

Preferably, if something is built in - I'd like to us that.

UPDATE:

Per the request, via comments, input should not allow HTML (and obviously prevent XSS & SQL Injection, etc).

+1  A: 

html purifier -> http://htmlpurifier.org/

Osman Üngür
Hm. It says it removes XSS attacks, but my XSS-attack string (from http://ha.ckers.org/xss.html) came cleanly through.
Sorcy
@Sorcy, wow - that's not good :(
TeddyN
A: 

I've always used PHP's addslashes() and stripslashes() functions, but I also just saw the built-in filter_var() function (link). Looks like there are quite a few built-in filters.

awshepard
for what purpose did you use PHP's addslashes() and stripslashes() functions?
Col. Shrapnel
A: 

If you want to run a query that use let's say $_GET['user'] a nice solution would be to do something like this using mysql_real_escape_string():

<?php

    $user = mysql_real_escape_string($_GET['user']);
    $SQL = "SELECT * FROM users WHERE username = '$name'";

    //run $SQL now
    ...
?>

If you want to store a text in a database and then print it on a web page, consider use htmlentities

[Edit]Or as awshepard said, you can use addslashes() and stripslashes() functions[/Edit]

Here is a little example of sanitization when it comes to prevent XSS attacks:

<?php
    $str = "A 'quote' is <b>bold</b>";

    //Outputs: A 'quote' is <b>bold</b>
    echo $str;

    // Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
    echo htmlentities($str);

    // Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
    echo htmlentities($str, ENT_QUOTES);
?>
Dr.Optix
Wouldn't your MySQL example open you up to SQL Injection (your example should use Prepared Statements)
TeddyN
I don't use Prepared Statements. I use mysql_real_escape_string(), as in the example, a lot in my PHP code and until now I was unable to find a way to exploit the code I written. Maybe I don't see a possible attack vector that can bypass mysql_real_escape_string(), so if you have an example please let me know. I always want to learn something new.
Dr.Optix
@Dr Optix, StackOverflow confirms that mysql_real_escape_string() does not always prevent SQL Injection --> http://stackoverflow.com/questions/1220182/does-mysql-real-escape-string-fully-protect-against-sql-injection
TeddyN
@TeddyN thanx for the info
Dr.Optix
A: 

use

 $input_var=sanitize_input($_POST);

and functions are below, almost sanitize everthing u need

function sanitize($var, $santype = 1){
     if ($santype == 1) {return strip_tags($var);}
     if ($santype == 2) {return htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8');}
     if ($santype == 3) 
     {
      if (!get_magic_quotes_gpc()) {
       return addslashes(htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8'));
      } 
      else {
         return htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8');
      }
     }
    }

    function sanitize_input($input,$escape_mysql=false,$sanitize_html=true,
             $sanitize_special_chars=true,$allowable_tags='<br><b><strong><p>')
    {
      unset($input['submit']); //we use 'submit' variable for all of our form

      $input_array = $input;

      //array is not referenced when passed into foreach
      //this is why we create another exact array
      foreach ($input as $key=>$value)
      {
       if(!empty($value))
       {
        $input_array[$key]=strtolower($input_array[$key]);
        //stripslashes added by magic quotes
        if(get_magic_quotes_gpc()){$input_array[$key]=sanitize($input_array[$key]);} 

        if($sanitize_html){$input_array[$key] = strip_tags($input_array[$key],$allowable_tags);}

        if($sanitize_special_chars){$input_array[$key] = htmlspecialchars($input_array[$key]);}    

        if($escape_mysql){$input_array[$key] = mysql_real_escape_string($input_array[$key]);}
       }
      }

      return $input_array;

    }

Remember : it will not sanitize multidimensional array, u need to modify it recursively.

diEcho