Home > General, PHP, Programming, Security > Ward class

Ward class

September 29th, 2009
Goto comments Leave a comment

In the present paper there will be a speech about one of safety ways of the programming language PHP . in each web application you surely must care about any processing data obtained from the user and operating for their storage the database MySQL .
today I wanna introduce a useful class currently used in my new CMS which I’m working on . one way or another , you always have to try to make secure your portal or any small script or etc . the following code defines a class named ward that consists of an four associative functions to validate the incoming strings and remove unacceptable characters from them .

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

/*
| -------------------------------------------------------------------
| Ward Class , Consists Of Four Functions
| Coded by Sc0rpion <> http://www.sc0rpion.ir
| |
| |
| + -> filtering() 
| + -> valid_str()
| + -> clear_str()
| + -> scape()
| -------------------------------------------------------------------
*/
 
class ward
{
        var $input;
        function filtering ( $str )
        {
        $this -> input = $str;
        if (
        strstr ( strtolower ( $this -> input ) , ';' ) != ''
        or strstr ( strtolower ( $this -> input ) , "'" ) != ''
        or strstr ( strtolower ($this -> input ) , "*" ) != ''
        or strstr ( strtolower ( $this -> input ) , "/" ) != ''
        or strstr ( strtolower ( $this -> input ) , "*" ) != ''
        or strstr ( strtolower ( $this -> input ) , "union" ) != ''
        or strstr ( strtolower ( $this -> input ) , "order" ) != ''
        or strstr ( strtolower ( $this -> input ) , "+" ) != ''
        or strstr ( strtolower ( $this -> input ) , "http" ) != ''
        or strstr ( strtolower ( $this -> input ) , "ftp" ) != ''
        or strstr ( strtolower ( $this -> input ) , "`" ) != ''
        or strstr ( strtolower ( $this -> input ) , "-" ) != ''
        or strstr ( strtolower ( $this -> input ) , ")" ) != ''
        or strstr ( strtolower ( $this -> input ) , "(" ) != ''
        or strstr ( strtolower ( $this -> input ) , ".." ) != ''
        or strstr ( strtolower ( $this -> input ) , "concat" ) != ''
        )
                {
                        return TRUE;
                }
        }
 
/*
| -------------------------------------------------------------------
| Checking The Validation Of String ( URL )
| -------------------------------------------------------------------
*/
 
        function valid_str ( $this -> input )
        {
        $this -> input = $str;
        if ( eregi ( "^[0-9a-zA-Z_-]*$" , $this -> input ) ) return TRUE; else return FALSE;
        }
/*
| -------------------------------------------------------------------
| Clean Special Chars And Code Tags From The String
| -------------------------------------------------------------------
*/
 
        function clear_str ( $str )
        {
        $this -> input = $str;
        $str = strip_tags( $this -> input ); // Cleaning HTML
        $str = eregi_replace( "[<>/\?&`~@#\$%\^*;']" , "" , $this -> input ); // Cleaning
        if( !get_magic_quotes_gpc() ) $str = mysql_real_escape_string( $this -> input );
        return $str;
        }
 
/*
| -------------------------------------------------------------------
| Scaping Special Characters
| -------------------------------------------------------------------
*/
 
        function scape( $str )
        {
        $this -> input = $str;
        if( !get_magic_quotes_gpc() ) $this -> input = mysql_real_escape_string( $this -> input );
        return $this -> input;
        }
 
}
 
/*
| -------------------------------------------------------------------
| End Of Ward Class
| -------------------------------------------------------------------
*/

I point out to each function quickly and brief explanation to each of them .
filtering() function : eliminates the sensitive expressions that I defined , they can simply be added , deleted or modified and the structure is very simple :

1

 or strstr ( strtolower ( $this -> input ) , " your char " ) != ''

As determining the specific character defined in function it returns true . simple example of usage :

1
2

$ward = new ward();
if ( $ward -> filtering( $input ) ) die(' you are a good hacker ');

valid_str() function : it checks whether if the input string has an unnecessary characters or not , returns true as if it is :

1
2
3
4

$ward = new ward();
if ( $ward -> valid_str( $input ) ) {
die(' your username must only be chosen between letters or numbers ');
}

clear_str() function : this function has a little difference from two previous functions , and it belongs to amount returning from this function . it returns the input string but not completely just washes all the dangerous characters such as HTML tags , some defined keywords and special characters in a string for use in a SQL statement , in the simple word it mostly provide the safe string and it can be trusted . just try it to get better concept of that :

1
2
3

$ward = new ward();
$input = "<br> hu I'm a string ' ' ' <a href='bb'>link</a>";
echo $ward -> clear_str( $input );

scape() function : I think I can leave it without any extra comment .

Here was my ward class which I wrote before , you can edit and use it on your road . another future of using this class is saving your maintainability and little performance but a major safety . I hope find it useful , Yashar .

General, PHP, Programming, Security , , , , , , , ,

  1. No comments yet.
  1. No trackbacks yet.