Help filtering out HTML and script tags.

Report · Aug 10, 2012

I have my first fully functioning php website almost ready to go live except I haven't allowed for filtering out HTML and script tags from my forms, form fields and urls.

User input has been validated to match my criteria, values are escaped before database entry.

I was generally considering using preg_match against different regex to filter HTML and script tags, and some of my forms already have this in place on validation (all php) but for the rest of the filtering I have some queries, concerns and questions regarding php filter_var for sanitization.

Firstly:

My free text fields need work.

I need to allow users to be able to type a description with the use of general punctuation.

Would this work: (not sure if the regex is right and if this is the best way to approach the filtering)

// if isset Post textfield

// allow only letters, numbers, general punction and limit to 265 chars

$check = "/^[a-zA-Z0-9\s.,-] {1-265}$/"

if (preg_match (&check, $_GET['textfield'])) {

// allow

} else {...

Or is there a better way to do this with filter_var, would this allow users to type what they needed and just remove anything that is a threat, such as:

// if isset Post textfield

$var = $_POST['textfield']

(filter_var($var, FILTER_SANITIZE_STRING));

// then check matches my criteria

// if ok enter into database

Secondly:

On urls where variables are passed is it enough to filter the variables using one of the above methods, this would actually only be using a check for numbers or letters for my variables (not punctuation). Or again is there a better way to do this with the filter_var : OR am I misunderstanding the filter_var function, it seems to be too easy does it really get rid off all the bad stuff.

if(isset($_GET['var1'])) {

(filter_var($var1, FILTER_SANITIZE_URL));

}

// then continue with code

Finally again regarding url, even if variables are not passed when a page is loaded should I be checking that the url is just the url? And how would I do this? Using filter_var?

As always any help is much appreciated.

Thank you in advance.

Report · Aug 11, 2012

Since the information is coming from the $_POST and $_GET arrays, use filter_input().

If you're checking $_POST['textfield']:

$sanitized = filter_input(INPUT_POST, 'textfield', FILTER_SANITIZE_STRING);

$sanitized contains the string stripped of all tags.

If you're checking var1 passed through the $_GET array:

$clean_var1 = filter_input(INPUT_GET, 'var1', FILTER_SANITIZE_STRING);

Report · Aug 11, 2012

Fantastic, thank you so much for that. It will make work so much easier than trying to whitelist each POST and GET input.

Regarding the last point in my message, is any new page that loads (when there is no input from POST or GET) still vulnerable to attack? as in do i have to check that the url is the expected url? and if so how would I go about doing this, OR is it just the case that input is what needs filtering?

Again thank you, you always send me off in the right direction.

You once explained to me how to echo my variables to debug my script (back when i first started with php), one of the most useful and well used piece of advice ever!!!

Report · Aug 11, 2012

Normally, it's just input that needs filtering.

Yes, using echo to view variables is a simple way of retaining at least some of your sanity when trying to work out what's gone wrong.

Report · Aug 11, 2012

Thank you

Not sure I have retained my sanity but your help is very much appreciated. If you ever work out a way to transfer your php knowledge to my brain - well, just do it!