Home

PHP Security - Ideas for Building a HttpRequest Class

Submitted by pure-php on Mon, 2005-03-14 21:30.

First of all PHP is secure, and I am not the only and first one to write it. Many PHP apps has seem to be insecure in the recent time. It has nothing to do with php at all. First of all, no other programming language is disposed to the "evils" (sorry ;-)) outside, second while php is so easy to learn, some of the developer had no programming language experience before writing apps in PHP, therefor the security problems of the popular phpbb was a good lesson for the PHP community.

I have the Idea of writing a HttpRequest class, which every developer can use. Here is the basics, and I would be lucky to get your ideas.

<?php
class HttpRequest{
    var $params = array();
    function HttpRrquest(){
        $this->params = &$_REQUEST;
    }    
    function getInt($k){
        return intval($this->params[$k]);
    }
    function getString($k){
        return strval($this->params[$k]);
    }
    function getAlNum(){
        if(ctype_alnum($this->params[$k])){
            return $this->params[$k];
        }else{
            return null;
        }
    }
    function getSqlEscaped(){
        return addslashes($this->params[$k]);
    }
    //more to be done
    function getXSSCleaned($allowedTags ""){
        return addslashes($this->params[$k]);
    }
    function getEmail(){
        $email strtolower($this->params[$k]);
        if(!preg_match("/^([_[:alnum:]-]+)(\.[_[:alnum:]-]+)*@([[:alnum:]])([[:alnum:]\.-]+)([[:alnum:]])\.([[:alpha:]]{2,4})$/",$email)){
            return null;
        }else{
            return $email;
        }
    }
    function getFloat($k){
        return floatval($this->params[$k]);
    }
    function getDouble($k){
        return doubleval($this->params[$k]);
    }
}
class httpCookie extends HttpRequest{
    function httpCookie(){
        $this->params = &$_COOKIE;
    }
}
class httpGET extends HttpRequest{
    function httpGET(){
        $this->params = &$_GET;
    }
}
class httpPOST extends HttpRequest{
    function httpPOST(){
        $this->params = &$_POST;
    }
}
?>

usage:

<?php
$post = new httpPOST();
if( !$id $post->getAlNum("id") == null{
  echo "invalid id";
}
if( $id $post->getInt("id"){
  $query "SELECT * FROM table WHERE id =".$id;
}
$query "INSERT INT Table (msg) VALUES ('".$post->getSqlEscaped("msg")."')";
?>

Write your ideas for (other) methodes

add new comment
rip off firefox much?
Submitted by Anonymous (not verified) on Tue, 2005-03-22 04:07.

rip off firefox much?

reply

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Datenschutz | Impressum