On Thu, Feb 21, 2008 at 8:53 PM, nihilism machine
<[EMAIL PROTECTED]> wrote:
> What is a better idea? Using this class in my db class and using
> CleanInput on the sql statements, or using it in the top of the all
> pages with form input to clean the $_POST's? Also, any ideas or
> comments on improving the class?
>
> <?php
>
> class FormCleaner {
>
> // Initializer
> function __construct() {
> if (count($_POST) > 0) {
> foreach($_POST as $curPostKey => $curPostVal) {
> $_POST[$curPostKey] =
> $this->CleanInput($curPostVal);
> }
> }
> }
>
> // Clean Form Input
> public function CleanInput($UserInput) {
> $allowedtags =
> "<b></b><i></i><h1></h1><a></a><img><ul></ul><li></
> li><blockquote></blockquote>";
> $notallowedattribs = array("@javascript:|onclick|ondblclick|
> onmousedown|onmouseup|onmouseover|onmousemove|onmouseout|onkeypress|
> onkeydown|[EMAIL PROTECTED]");
> $changexssto = '';
> $UserInput = preg_replace($notallowedattribs, $changexssto,
> $UserInput);
> $UserInput = strip_tags($UserInput, $allowedtags);
> $UserInput = nl2br($UserInput);
> return $UserInput;
> }
> }
>
> ?>
>
Does this line work?:
foreach($_POST as $curPostKey => $curPostVal) {
$_POST[$curPostKey] =
$this->CleanInput($curPostVal);
}
If I recall correctly, you can't modify the array within a foreach
block... or am I going crazy?
--
-Casey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
