Hi,
Just one little class I made to control user's submitted datas, I thought it could help some people with security.
And if anyone wants to improve it, I'd be glad you do so.
* This program is under GNU GPL license.
*
* You can contact the author of this program at .
*/
//Defined regexps (you can add your own ones).define('REG_DATE','([[:digit:]]{4})-([[:digit:]]{2})-([[:digit:]]{2})');define('REG_DIGIT_SIGNED','^[-[:digit:]]+$');define('REG_DIGIT_UNSIGNED','^[[:digit:]]+$');define('REG_PASSWORD','^[[:alnum:]]+$');define('REG_TEXT','[[:graph:][:blank:]]+');define('REG_WORD','^[[:alpha:]]+$');//Controls contents of the $_REQUEST variable.final classcheckVar{
private$tmp;//Secured value of a $_REQUEST key.
//Check if the variable is set.private function isSet(&$field){
if(!isset($_REQUEST[$field]))
throw newException("You forgot to fill the$fieldfield.");
else
returntrue;
}//Set $tmp and remove threatening characters.private functionremoveCharsThreats(&$field){$this->tmp=trim($_REQUEST[$field]);$this->tmp=htmlspecialchars($_REQUEST[$field],ENT_QUOTES,'UTF-8',false);
}//Checks if the value is equal to 1.public functionsecurityBool($field){
if($this->isSet($field) &&$_REQUEST[$field] !=1)
throw newException("Unallowed value in$fieldfield.");
else
returntrue;
}//Checks if the value is in the allowed ones list ($enum).public functionsecurityEnum($field,$enum){
if($this->isSet($field)){$this->removeCharsThreats($field);$tab=explode(',',$enum);
if(!in_array($this->tmp,$tab))
throw newException("Unallowed value in$fieldfield.");
else
return (string)$this->tmp;
}
}//Checks if the value is a numeric one and if it is in the given range.public functionsecurityRange($field,$range){
if($this->isSet($field)){$this->removeCharsThreats($field);$tab=explode('/',$range);
if(!is_numeric($this->tmp))
throw newException("Unallowed characters in$fieldfield.");
elseif($this->tmptmp>$tab[1])
throw newException('Value must be in range '.$tab[0].'/'.$tab[1]." in$fieldfield.");
else
return (int)$this->tmp;
}
}/**
* Checks if the value respects the defined regexp,
* and if its length is not superior than the given maxlength.
*/public functionsecurityText($field,$maxlength,$regexp){
if($this->isSet($field)){$this->removeCharsThreats($field);
if(!mb_ereg($regexp,$this->tmp))
throw newException("Unallowed characters in$fieldfield.");
elseif(mb_strlen($this->tmp,ENCODING) >$maxlength)
throw newException("Too long string length for$fieldfield.");
else
return$this->tmp;
}
}
}?>
Here are some examples of how to use the public methods.
$checkVar= newcheckVar();$args= array();//If $_REQUEST['bbexport'] is not equal to 1, throws a new Exception.$args['bbexport'] =$checkVar->securityBool('bbexport');//If $_REQUEST['id'] is not an unsigned integer and/or has more than 4 digits, throws a new Exception.$args['id'] = (int)$checkVar->securityText('id',4,REG_DIGIT_UNSIGNED);//If $_REQUEST['orderBy'] is not equal to 'date' or 'id' or 'name', throws a new Exception.$args['orderBy'] =$checkVar->securityEnum('orderBy','date,id,name');//If $_REQUEST['ratio'] is not a numeric value (integer or float) and is not between 0 and 10, throws a new Exception.$args['ratio'] =$checkVar->securityRange('ratio','0/10');?>