[PopSmith]

I have been looking at End Users' script for sanitizing data and was wondering how to use it. I have a general idea but I'm not sure if it is correct.

I am planning on having a "Coming soon" image (which I haven't made yet) on my temporary homepage as well as some text that says "If you would like us to email you when the site is launched fill out the form below."

I also plan on adding BotScout and ReCAPTCHA to this once I get it working to help prevent spambots from attacking the site.

I intend on having the only mandatory field be their email address with their first and last name being optional. So far here is what I've come up with, although I am pretty sure I've screwed up somewhere, which is why I am asking for help with it.

The reason I don't have the image linked, or the code for ReCAPTCHA/BotScout is because I figured I should K.I.S.S. and try to get the base of it working first.

Main page:

php Code:

<?php include('./includes/stuff/sanitize.php');
include('./includes/stuff/constants.php');?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Coming Soon!</title>
</head>
 
<body>
The site will be launching soon!
<p>If you would like us to email you when the site is launched fill out the form below.</p>
<?php
if (isset($_POST&#91;'submitted'])) {      
        require_once('MYSQL');
        
        //Sanitize data
        $c_fname = sanitize(3, 20, $_POST&#91;'first_name']);
        $c_lname = sanitize(3, 40, $_POST&#91;'last_name']);
        $c_email = sanitize(5, 50, $_POST&#91;'email']);
        
        if (empty($c_email)) {
            echo '<p>Please enter your email address.</p>';
        } elseif (!empty($c_email)) {
            $access = "SELECT email FROM customers WHERE email='$c_email'"
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        }
        
        //Insert information if email is unique:
        if (mysqli_num_rows($r) == 0) {
            $access = "INSERT INTO customers (email) VALUES ('$c_email')";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
} else {
    echo '<p>Your email address could not be recorded due to an error, please try again.</p>';
}
mysqli_close($dbc);
?>
<form action="sanitize.php" method="post">
<fieldset>
<p><b>First name:</b> <input type="text" name="first_name" size="20" maxlength="15" value="<?php if(isset($cleaned_fname)) echo $c_fname; ?>" /></p>
 
<p><b>Last name:</b> <input type="text" name="last_name" size="20" maxlength="25" value="<?php if(isset($cleaned_lname)) echo $c_lname; ?>" /></p>
 
<p><b>Email Address:</b> <input type="text" name="email" size="30" maxlength="50" value="<?php if(isset($cleaned_email)) echo $c_email; ?>" /></p>
 
<div class="center"><input type="submit" name="submit" value="Register" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</form>
</body>
</html> 

I don't have the spacing between forum fields (other than the paragraph tags) like I do above, I just did that so it would be easier to read.

Sanitize (which is End Users' code):

php Code:

<?php 
 
//////////////////////////////////////////// 
// input sanitizer function - LDM 2008 
 
function sanitize($dtype, $dlen, $data){ 
 
// dtype 1: allow numbers, space, and '-'  
// dtype 2: allow alpha and spaces only 
// dtype 3: allow alphanumeric, spaces, period, and '-' 
// dtype 4: allow alphanumeric w/ all punctuation  
// dtype 5: email validation chars  
// dlen: data length limit, '0' = no length limit
/////////////////////////////////////////////////////////////
// Example- allow numbers and letters up to 50 chars in the variable "$foo"
// $foo = sanitize(2, 50, $_POST['name']);
/////////////////////////////////////////////////////////////
 
    // special cleanups 
    $data = preg_replace("/x1a/",'', $data); 
    $data = preg_replace("/x00/",'', $data); 
 
    // the 2 tests above may not be needed due to this more complete test 
    $data = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $data); 
 
    $data = preg_replace("|\.\./|",'', $data); // stop directory traversal 
    $data = preg_replace("/--/",' - ', $data); // stop mySQL comments 
    $data = preg_replace("/%3A%2F%2F/",'', $data); // stop B64 encoded '://' 
 
     
// new, added 8-31-2008 ///////////////////////////////// 
////////// START NEW TESTS 08-31-2008 //////////////////////////////////////// 
 
// Remove Null Characters 
// This prevents sandwiching null characters 
// between ascii characters, like Java\0script. 
    $data = preg_replace('/\0+/', '', $data); 
    $data = preg_replace('/(\\\\0)+/', '', $data); 
 
  
// Validate standard character entities 
// Add a semicolon if missing.  We do this to enable 
// the conversion of entities to ASCII later. 
    $data = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$data); 
         
// Validate UTF16 two byte encoding (x00) 
// Just as above, adds a semicolon if missing. 
    $data = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$data); 
 
 
// URL Decode 
// Just in case stuff like this is submitted: 
// <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a> 
// Note: Normally urldecode() would be easier but it removes plus signs 
    $data = preg_replace("/([a-z0-9]{3})/i", "&#x\\1;", $data); 
    $data = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $data);         
                 
 
// Convert character entities to ASCII 
// This permits our tests below to work reliably. 
// We only convert entities that are within tags since 
// these are the ones that will pose security problems. 
    if (preg_match_all("/<(.+?)>/si", $data, $matches)) {         
        for ($i = 0; $i < count($matches&#91;'0']); $i++) { 
            $data = str_replace($matches&#91;'1'][$i], 
                html_entity_decode($matches&#91;'1'][$i], ENT_COMPAT, $charset), $data); 
        } 
    } 
     
 
// Convert all tabs to spaces 
// This prevents strings like this: ja    vascript 
// Note: we deal with spaces between characters later.     
    $data = preg_replace("#\t+#", " ", $data); 
     
 
// Makes PHP tags safe 
// Note: XML tags are inadvertently replaced too: 
//    <?xml 
// But who cares, only terrorists use XML. :)      
    $data = str_replace(array('<?php', '<?PHP', '<?', '?>'),  array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $data); 
     
 
// Compact any exploded words 
// This corrects words like:  j a v a s c r i p t 
// These words are compacted back to their correct state.     
    $words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window'); 
    foreach ($words as $word) { 
        $temp = ''; 
        for ($i = 0; $i < strlen($word); $i++) { 
            $temp .= substr($word, $i, 1)."\s*"; 
        } 
     
        $temp = substr($temp, 0, -3); 
        $data = preg_replace('#'.$temp.'#s', $word, $data); 
        $data = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $data); 
    } 
 
 
// Remove disallowed Javascript in links or img tags     
    $data = preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $data); 
    $data = preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si","", $data); 
    $data = preg_replace("#<(script|xss).*?\>#si", "", $data); 
 
// Remove JavaScript Event Handlers 
// Note: This code is a little blunt.  It removes 
// the event handler and anything up to the closing >, 
// but it's unlikely to be a problem. 
 
    $data = preg_replace('#(<[^>]+.*?)(onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmouseout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)[^>]*>#iU',"\\1>",$data); 
 
 
// Sanitize naughty HTML elements 
// If a tag containing any of the words in the list 
// below is found, the tag gets converted to entities.    
// So this: <blink> 
// Becomes: &lt;blink&gt;     
    $data = preg_replace('#<(/*\s*)(alert|vbscript|javascript|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss|lowsrc)([^>]*)>#is', "&lt;\\1\\2\\3&gt;", $data); 
             
 
// Sanitize naughty scripting elements 
// Similar to above, only instead of looking for 
// tags it looks for PHP and JavaScript commands 
// that are disallowed.  Rather than removing the 
// code, it simply converts the parenthesis to entities 
// rendering the code un-executable. 
// For example:    eval('some code') 
// Becomes:        eval('some code') 
    $data = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $data); 
                                             
// Final clean up 
// This adds a bit of extra precaution in case 
// something got through the above filters 
    $bad = array( 
            'document.cookie'    => '', 
            'document.write'    => '', 
            'window.location'    => '', 
            "javascript\s*:"    => '', 
            "Redirect\s+302"    => '', 
            '<!--'            => '&lt;!--', 
            '-->'            => '--&gt;' 
    ); 
     
    foreach ($bad as $key => $val)    { 
            $data = preg_replace("#".$key."#i", $val, $data); 
    } 
 
////////// END NEW TESTS ///////////////////////////////////////////////////// 
 
 
 
    if($dlen != '0'){ 
        $data = substr($data, 0, $dlen); 
    } 
 
    if($dtype == '1'){ 
        // allow only numeric characters, space, period, and '-'  
        $data = preg_replace("/[^0-9\-\ \.]/",'', $data); 
    } 
     
    if($dtype == '2'){ 
        // allow only alpha characters, '_' and space  
        $data = preg_replace("/[^a-zA-Z~\ \_]/",'', $data); 
    } 
     
    if($dtype == '3'){ 
        // allow only alphanumeric characters, space, '_', period, colon, and '-' 
        $data = preg_replace("/[^0-9a-zA-Z~\-\ \.\:\_]/",'', $data); 
    } 
     
    if($dtype == '4'){ 
        // allow only alphanumeric characters w/ punctuation + carriage returns 
        $data = preg_replace("|[^0-9a-zA-Z~@#$%=:;_, \\n\\\!\^&\*\(\)\-\+\.\?\/\'\"]|",'', $data); 
    } 
 
    if($dtype == '5'){ 
        // specifically for email validation  
        $data = preg_replace("|[^0-9a-zA-Z@_\-\.]|",'', $data); 
    } 
 
    $data = trim($data); 
 
    return $data; 
} 
// end sanitize  
//////////////////////////////////////////// 
 
 
?> 

constants.php Code:

<?phpdefine('BASE_URL', 'http://mywebsite.com');define('MYSQL', '../SQL/mysqli_connect.php');?>

and, finally, mysqli_connect.php I edited the user information in the script below to random stuff:

php Code:

<?php
//Set database access information:
DEFINE('DB_USER', '**********');
DEFINE('DB_PASSWORD', '********');
DEFINE('DB_HOST', 'localhost');
DEFINE('DB_NAME', 'blah');
 
//Attempt to connect to MySQL
$dbc = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (!$dbc) {
    trigger_error('Could not connect to MySQL: ' . mysqli_connect_error() );
}
?> 

Again the reason I am even posting this is because I am not sure how to use End Users' script and would like to in order to help prevent my server from being hijacked.

[wirehopper]

I use sanitize for inputs that can't be validated - like textareas or strings where the user can type anything they want to.

For other inputs, all data must be valid.

[End User]

Looks like you're using it correctly to me. What part are you having trouble with?

PHP Code:

$c_fname = sanitize(3, 20, $_POST['first_name']);
$c_lname = sanitize(3, 40, $_POST['last_name']);
$c_email = sanitize(5, 50, $_POST['email']); 


[PopSmith]

Quote:

Originally Posted by End User

Looks like you're using it correctly to me. What part are you having trouble with?

PHP Code:

$c_fname = sanitize(3, 20, $_POST['first_name']);
$c_lname = sanitize(3, 40, $_POST['last_name']);
$c_email = sanitize(5, 50, $_POST['email']); 


I haven't actually put it up on my server yet, though I will be doing that in a few hours. I just wanted to get some sort of confirmation that it was at least somewhat correct before it goes "live".

I will test it out after I upload it and if it gives me problems I'll report back.

[wirehopper]

It is 'somewhat correct', but you need to validate it as well as sanitize.

Sanitize will protect your server, application, and data - but it won't ensure the email address is valid. You need to test for a valid email address before letting it go live.

[PopSmith]

@wirehopper,

OK I will look around and see what I can find on validation around here as well as the web.

I assume that one should sanitize the input and then validate it to make sure it's still valid after it's sanitized, correct?

[End User]

Quote:

Originally Posted by PopSmith

I assume that one should sanitize the input and then validate it to make sure it's still valid after it's sanitized, correct?

Correct. Clean it and then check it to make sure it's legit data. Here's some simple email validation code:

PHP Code:

function isValidEmail( $email = null ){
    return preg_match( "/^
    [\d\w\/+!=#|$?%{^&}*`'~-]
    [\d\w\/\.+!=#|$?%{^&}*`'~-]*@
    [A-Z0-9]
    [A-Z0-9.-]{1,61}
    [A-Z0-9]\.
    [A-Z]{2,6}$/ix", $email );
}
?> 


Or:

PHP Code:

function checkEmail($email) {
    if (ereg("^[a-zA-Z0-9][a-zA-Z0-9_\.\-]*[@][a-zA-Z0-9\.\-]*[\.][a-zA-Z]{2,4}$", $email)) {
        return TRUE;
    } else {
        return FALSE;
    }
}
?> 


[PopSmith]

Thanks for the validation stuff, End User.

I experimented with that code and so here is my index.php file again. I just want to make sure that I'm using, and understanding, the usage of preg_match correctly.

I've gathered that preg_match checks whatever variable is listed after the comma against the specified parameters. For my $c_fname variable it would only be returned to the form if it contains only upper or lowercase A-Z as well as periods and dashes. It also must be between 1 and 15 characters as dictated by the {1,15}.

php Code:

<?php include('../includes/stuff/sanitize.php');
include('../includes/stuff/constants.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Coming Soon!</title>
</head>
 
<body>
We are hard at work getting the site up and running! We are hoping to get running by early December!
<p>If you would like us to notify you when we get setup fill out the form below with your name and email address.</p>
<?php
if (isset($_POST&#91;'submitted'])) {
        require_once('MYSQL');
        
        //Sanitize data before validation
        $c_fname = sanitize(3, 15, $_POST&#91;'first_name']);
        $c_lname = sanitize(3, 25, $_POST&#91;'last_name']);
        $c_email = sanitize(5, 60, $_POST&#91;'email']);
        $c_email_2 = sanitize(5, 60, $_POST&#91;'email_2']);
        
        //Validate the first name
        return preg_match("/^
        [a-zA-Z]
        [a-zA-Z.-]{1,15}$/ix", $c_fname );
        
        //Validate last name
        return preg_match("/^
        [a-zA-Z]
        [a-zA-Z-]{1,25}$/ix", $c_lname);
        
        //Is the email valid and not empty?
        if (empty($c_email && $c_email_2)) {
            echo '<p>Please enter your email address.</p>';
        } else if ($c_email != $c_email_2) {
            echo '<p>The email fields do not match. Please confirm them again.</p>';
        } else {
            function isValidEmail( $c_email = null ) {
            return preg_match( "/^ 
            [\d\w\/+!=#|$?%{^&}*`'~-] 
            [\d\w\/\.+!=#|$?%{^&}*`'~-]*@ 
            [A-Z0-9] 
            [A-Z0-9.-]{1,60} 
            [A-Z0-9]\. 
            [A-Z]{2,6}$/ix", $c_email );
                }
        }
 
        (!empty($c_email) && $c_email == $c_email_2) {
            $access = "SELECT email FROM customers WHERE email='$c_email'"
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        }
        
        //Insert information if email is unique:
        if (mysqli_num_rows($r) == 0) {
            $access = "INSERT INTO customers (email) VALUES ('$c_email')";
            $r = mysqli_query($dbc, $access) or trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error($dbc));
        } else {
            echo '<p>Your email address could not be recorded due to an error, please try again.</p>';
}
mysqli_close($dbc);
?>
<form action="sanitize.php" method="post">
<fieldset>
<p><b>First name:</b> <input type="text" name="first_name" size="20" maxlength="15" value="<?php if(isset($c_fname['first_name'])) echo $c_fname['first_name']; ?>" /></p>
<p><b>Last name:</b> <input type="text" name="last_name" size="20" maxlength="25" value="<?php if(isset($c_lname['last_name'])) echo $c_lname['last_name']; ?>" /></p>
<p><b>Email Address:</b> <input type="text" name="email" size="30" maxlength="60" value="<?php if(isset($c_email['email'])) echo $c_email['email']; ?>" /> (Required)</p>
<p><b>Confirm email address:</b> <input type="text" name="email_2" size="30" maxlength="60" value="<?php if(isset($c_email_2['email_2'])) echo $c_email_2['email_2']; ?>" /> (Required)</p>
<br />
</fieldset>
<div class="center"><input type="submit" name="submit" value="Register" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</form>
</body>
</html> 

[End User]

Quote:

Originally Posted by PopSmith

For my $c_fname variable it would only be returned to the form if it contains only upper or lowercase A-Z as well as periods and dashes. It also must be between 1 and 15 characters as dictated by the {1,15}.

With this usage:

$c_fname = sanitize(3, 15, $_POST['first_name']);

....the '15' means it will truncate anything over 15 chars long. No minimum length is enforced.
The '3' means it'll pass numbers and letters, with a couple of other chars:

// allow only alphanumeric characters, space, '_', period, colon, and '-'
$data = preg_replace("/[^0-9a-zA-Z~\-\ \.\:\_]/",'', $data);

[PopSmith]

I was looking over my previous response and realized that I didn't make any sense, compared to what I really meant to ask about.

I am actually looking for clarification on the preg_match function as I used here:

php Code:

//Validate the first name
return preg_match("/^
[a-zA-Z]
[a-zA-Z._]{1,15}$/ix", $c_fname ); 

I am thinking that my above use of preg_match would validate that the $c_fname variable, which is the sanitized output of the variable $first_name, contains only characters a-z in either upper or lower case as well as the period or underscore. The {1,15} would limit the preg_match to between 1 and 15 characters.

However, I could (and probably am) wrong in my thinking.