First of all PHP is secure, and I am not the only and first one to write it. Many PHP apps has seem to be insecure in the recent time. It has nothing to do with php at all. First of all, no other programming language is disposed to the "evils" (sorry ;-)) outside, scond while php is so easy to learn, some of the developer had no programming language experience before writing apps in PHP, therefor the security problems of the poular phpbb was a good lesson fo the PHP community.
I have the Idea of writing a HttpRequest class, which every devolper cann use. Here is the basics, and I would be lucky to get your ideas.
<?php
class HttpRequest{ var $params = array(); function HttpRrquest(){ $this->params = &$_REQUEST; } function getInt($k){ return intval($this->params[$k]); } function getString($k){ return strval($this->params[$k]); } function getAlNum(){ if(ctype_alnum($this->params[$k])){ return $this->params[$k]; }else{ return null; } } function getSqlEscaped(){ return addslashes($this->params[$k]); } //more to be done function getXSSCleaned($allowedTags = ""){ return addslashes($this->params[$k]); } function getEmail(){ $email = strtolower($this->params[$k]); if(!preg_match("/^([_[:alnum:]-]+)(\.[_[:alnum:]-]+)*@([[:alnum:]])([[:alnum:]\.-]+)([[:alnum:]])\.([[:alpha:]]{2,4})$/",$email)){ return null; }else{ return $email; } } function getFloat($k){ return floatval($this->params[$k]); } function getDouble($k){ return doubleval($this->params[$k]); } } class httpCookie extends HttpRequest{ function httpCookie(){ $this->params = &$_COOKIE; } } class httpGET extends HttpRequest{ function httpGET(){ $this->params = &$_GET; } } class httpPOST extends HttpRequest{ function httpPOST(){ $this->params = &$_POST; } }
?>
usage:
<?php
$post = new httpPOST(); if( $post->getAlNum("id") == null{ echo "invalid id"; } if( $post->getInt("id"){ $query = "SELECT * FROM table WHERE id =".$id; } $query = "INSERT INT Table (msg) VALUES ('".$post->getSqlEscaped("msg")."')"; ?>
Previous Topic
