Christian Web Resources

Some time ago, Vaughan posted in the blog a new method available for sanitizing variables based on their type - checkVar().

Well, rarely are you dealing with 1 variable at a time. Usually, you are trying to handle input from a form or process the variables passed in the URI. So, we needed a way to handle the process with the least amount of effort and building on work already completed in the core. In straight PHP, you have several different filter functions - filter_var(), filter_input(), filter_var_array() and filter_input_array(). We could just as easily pointed all the developers to those functions and let them figure it out, but we're always trying to lower the barriers, so we've built some special classes and methods for you!

As you can see in the comments below, we have already been having some discussion about the best implementation of this - I had created the method and started the blog post, allowing a few others to see the work in progress. Now, we're ready to share more of this with you.

Handling user input is always a critical task for a secure website. We've stressed this in the forums, in our releases and in blog posts. We really can't emphasize this enough. I am a firm believer in the whitelist approach - rather than trying to imagine all the possible exploits or improperly formatted user inputs, I prefer to define what are valid inputs and then test against those. You'll notice this when I've worked on a page that accepts and presents information to the visitor. I also strongly believe we should never be using raw inputs anywhere in our code, except when passing it through the filters, and then only to create variables we can work with in other areas of code. This eliminates the uncertainty of the trustworthiness of the data when reviewing code later. For example, I cringe whenever I see something like

$var = $_POST['var'];

Anyway, on to the new method.

Since it builds on Vaughan's checkVar() method, there really isn't anything new in this method - just put all your variables into an array and attach their data types. If you want to use the options available in checkVar, you can do that, too. The only thing that isn't covered right now is if your variable is an array already. That will come.

Here is the documentation for the new method - icms_core_DataFilter::checkVarArray()

    /**
     * Filter an array of variables, such as $_GET or $_POST, using a set of filters.
     *
     * Any items in the input array not found in the filter array will be filtered as
     * a string.
     *
     * @param     array    $input        items to be filtered
     * @param     array    $filters     the keys of this array should match the keys in
     *                                 the input array and the values should be valid types
     *                                 for the checkVar method
     * @param    bool    $strict        when TRUE (default), items not in the filter array will be discarded
     *                                 when FALSE, items not in the filter array will be filtered as strings and included
     * @return    array
     */
    static public function checkVarArray(array $input, array $filters, $strict = TRUE) {

To see how this is used, look in modules/system/admin/banners/main.php -

$filter_post = array(
    'name'            => 'str',
    'cid'             => 'int',
    'imageurl'         => 'url',
    'imptotal'         => 'int',
    'htmlbanner'     => 'int',
    'htmlcode'         => 'html',
    'contact'         => 'str',
    'email'         => array('email', 'options' => array(0, 1)),
    'login'            => 'str',
    'passwd'         => 'str',
    'extrainfo'     => 'str',
    'bid'             => 'int',
    'clickurl'         => 'url',
    'op'            => 'str',
    'impadded'         => 'int',
    'fct'            => 'str',
);
$filter_get = array(
    'bid' => 'int',
    'cid' => 'int',
    'fct' => 'str',
    'op'  => 'str',
);

$name = $imageurl = $htmlcode = $contact = '';
$email = $login = $passwd = $extrainfo = $clickurl = $op = '';
$bid = $cid = $imptotal = $htmlbanner = $impadded = 0;

if (!empty($_POST)) {
    $clean_POST = icms_core_DataFilter::checkVarArray($_POST, $filter_post, FALSE);
    extract($clean_POST);
}
if (!empty($_GET)) {
    $clean_GET = icms_core_DataFilter::checkVarArray($_GET, $filter_get, FALSE);
    extract($clean_GET);
}

So, there you have it! You can see by the last 2 if() statements I assign the results of the method to a new variable that indicates I have sanitized the input. That way, I can search for any $_POST and $_GET occurences and remove them - they should only be in the codewhere I am sanitizing them.

Always, always, always - sanitize and validate any input in your application! And, we've given you tools to do that - no excuses.