]>
src.bluestatic.org Git - isso.git/blob - Input.php
2 /*=====================================================================*\
3 || ###################################################################
4 || # Blue Static ISSO Framework
5 || # Copyright ©2002-[#]year[#] Iris Studios, Inc.
7 || # This program is free software; you can redistribute it and/or modify
8 || # it under the terms of the GNU General Public License as published by
9 || # the Free Software Foundation; version [#]gpl[#] of the License.
11 || # This program is distributed in the hope that it will be useful, but
12 || # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 || # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
16 || # You should have received a copy of the GNU General Public License along
17 || # with this program; if not, write to the Free Software Foundation, Inc.,
18 || # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
19 || ###################################################################
20 \*=====================================================================*/
23 * Input sanitizer (Input.php)
29 * Input cleaning type constant
34 define('TYPE_INT', 1);
39 define('TYPE_UINT', 2);
44 define('TYPE_FLOAT', 4);
49 define('TYPE_BOOL', 8);
54 define('TYPE_STR', 16);
57 * String - deliberate unclean
59 define('TYPE_STRUN', 32);
62 * No cleaning - here for use in API
64 define('TYPE_NONE', 64);
67 * Macro for using DB->escape_binary() without cleaning - used in API
69 define('TYPE_BIN', 128);
75 * This class is responsible for cleaning input.
78 * ISSO_CHECK_POST_REFERER - Will check to make sure that on POSTed
79 * data, the referer matches the host
82 * @copyright Copyright ©2002 - [#]year[#], Blue Static
90 * An array of sanitized variables that have been cleaned for HTML tag openers and double quotes
96 * If we are running with magic_quotes_gpc on or off
99 private $magicquotes = 0;
101 // ###################################################################
103 * Constructor: set instance variables and execute input cleaning
105 public function __construct()
108 $this->magicquotes
= get_magic_quotes_gpc();
109 set_magic_quotes_runtime(0);
111 // some debug info that's always useful
112 BSRegister
::Debug('magic_quotes_gpc = ' . $this->magicquotes
);
113 BSRegister
::Debug('register_globals = ' . ini_get('register_globals'));
115 $this->_sanitizeInputData();
117 if (defined('ISSO_CHECK_POST_REFERER'))
119 $this->_checkPostReferer();
123 // ###################################################################
125 * Recursive XSS cleaner
127 * @param mixed Unsanitized REQUEST data
129 * @return mixed Sanitized data
131 private function _sanitizeDataRecursive($data)
133 foreach ($data AS $key => $value)
135 if (is_array($value))
137 $data["$key"] = $this->_sanitizeDataRecursive($value);
141 if ($this->magicquotes)
143 $value = str_replace("\'
", "'", $value);
145 $data["$key"] = $this->sanitize($value);
151 // ###################################################################
153 * Simple way to protect against HTML attacks with Unicode support
155 * @param string Unsanitzed text
157 * @return string Properly protected text that only encodes potential threats
159 public function sanitize($text)
161 if ($this->magicquotes)
163 return str_replace(array('<', '>', '\"
', '"'), array('<', '>', '"', '"'), $text);
167 return str_replace(array('<', '>', '"'), array('<
;', '>
;', '"
;'), $text);
171 // ###################################################################
173 * Unicode-safe entity encoding system; similar to sanitize()
175 * @param string Unsanitized text
177 * @return string Unicode-safe sanitized text with entities preserved
179 public function entityEncode($text)
181 $text = str_replace('&', '&
;', $text);
182 $text = $this->sanitize($text);
186 // ###################################################################
188 * Takes text that has been processed for HTML and unsanitizes it
190 * @param string Text that needs to be turned back into HTML
192 * @return string Unsanitized text
194 public function unsanitize($text)
196 return str_replace(array('<
;', '>
;', '"
;'), array('<', '>', '"'), $text);
199 // ###################################################################
201 * Smart addslashes() that only applies itself it the Magic Quotes GPC
202 * is off. This should only be run on database query values that come
203 * from ISSO->in[] input; data that needs sanitization should be run
204 * through Db->escapeString()
206 * @param string Some string
207 * @param bool Force magic quotes to be off
209 * @return string String that has slashes added
211 public function escape($str, $force = true)
213 if ($this->magicquotes AND !$force)
215 if (BSRegister::GetType('Db'))
217 return BSRegister::GetType('Db')->escapeString(str_replace(array("\'
", '\"'), array("'", '"'), $str));
223 if (BSRegister::GetType('Db'))
225 return BSRegister::GetType('Db')->escapeString($str);
227 return addslashes($str);
231 // ###################################################################
233 * Runs through all of the input data and sanitizes it.
235 private function _sanitizeInputData()
237 $this->in = $this->_sanitizeDataRecursive(array_merge($_GET, $_POST, $_COOKIE));
240 // ###################################################################
242 * Sanitize function for something other than a string (which
243 * everything is sanitized for if you use _sanitizeInputData(). Cleaned
244 * data is placed back into Input->in; this makes it so you don't have
245 * to constantly intval() [etc.] data.
247 * @param array Array of elements to clean as varname => type
249 public function inputCleanArray($vars)
251 foreach ($vars AS $varname => $type)
253 $this->inputClean($varname, $type);
257 // ###################################################################
259 * Sanitize function that does a single variable as oppoesd to an array
260 * (see inputCleanArray() for more details)
262 * @param string Variable name in ISSO->in[]
263 * @param integer Sanitization type constant
265 public function inputClean($varname, $type)
267 if (isset($this->in["$varname"]))
269 $this->in
["$varname"] = $this->clean($this->in["$varname"], $type);
273 $this->in
["$varname"] = $this->clean(null, $type);
276 return $this->in["$varname"];
279 // ###################################################################
281 * Runs Input->escape() on a variable on Input->in[]. This is just a
282 * short-hand wrapper so that queries can be shortened. When this is used,
283 * the actual value in Input->in[] is not changed, only the return value
286 * @param string Input variable
288 * @return string Escaped input
290 public function inputEscape($varname)
292 if (isset($this->in
["$varname"]))
294 return $this->escape($this->in["$varname"]);
298 return $this->escape(null);
302 // ###################################################################
304 * Cleaning function that does the work for inputClean(); this is
305 * moved here so it can be used to clean things that aren't in
309 * @param integer Sanitization type constant
311 * @return mixed Cleaned data
313 public function clean($value, $type)
315 if (is_array($value))
317 return $this->_cleanArray($value, $type);
320 if ($type == TYPE_INT
)
322 $value = intval($value);
324 else if ($type == TYPE_UINT
)
326 $value = (($val = intval($value)) < 0 ? 0 : $val);
328 else if ($type == TYPE_FLOAT
)
330 $value = floatval($value);
332 else if ($type == TYPE_BOOL
)
334 $value = (bool)$value;
336 else if ($type == TYPE_STR
)
340 else if ($type == TYPE_STRUN
)
342 $value = $this->unsanitize($value);
344 else if ($type == TYPE_NONE
)
346 if ($this->magicquotes
)
348 $value = str_replace(array('\"', "\'"), array('"', "'"), $value);
355 else if ($type == TYPE_BIN
)
361 throw new Exception('Invalid clean type specified in BSInput::clean()');
368 // ###################################################################
370 * Recursion function for Input->clean()
372 * @param array Uncleaned array
373 * @param integer Sanitization type constant
375 * @return array Cleaned array of data
377 private function _cleanArray($array, $type)
379 foreach ($array AS $key => $value)
381 $array["$key"] = $this->clean($value, $type);
387 // ###################################################################
389 * Returns the lowercase version of the HTTP method (post or get)
391 * @return string HTTP method
393 public function getHttpMethod()
395 $method = strtolower($_SERVER['REQUEST_METHOD']);
396 if (!in_array($method, array('get', 'post')))
398 throw new Exception('Invalid server request method: ' . $method);
403 // ###################################################################
405 * Checks to see if a POST refer is actually from us
407 private function _checkPostReferer()
409 if ($this->getHttpMethod() == 'post')
411 $host = ($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_ENV['HTTP_HOST'];
413 if ($host AND $_SERVER['HTTP_REFERER'])
415 $parts = parse_url($_SERVER['HTTP_REFERER']);
416 $ourhost = $parts['host'] . (isset($parts['port']) ? ":$parts[port
]" : '');
418 if ($ourhost != $host)
420 throw new Exception('No external hosts are allowed to POST to this application');
423 BSRegister::Debug('remote post check = ok');
427 BSRegister::Debug('remote post check = FAILED');
433 /*=====================================================================*\
434 || ###################################################################
437 || ###################################################################
438 \*=====================================================================*/