PHP Classes
elePHPant
Icontem

requestUtils: Retrieve and sanitize user submitted request data

Recommend this page to a friend!
  Info   View files View files (3)   DownloadInstall with Composer Download .zip   Reputation   Support forum (1)   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2004-10-31 (11 years ago) RSS 2.0 feedStarStarStar 58%Total: 2,359 All time: 1,590 This week: 881Up
Version License Categories
pcgrequestutils 1.0GNU General Publi...HTTP, Security
Description Author

This class acts a central place to retrieve user submitted data to a page access via the request, form inputs or cookies.

Instead of using the super-global variables $_POST, _$GET, $_REQUEST and $_COOKIE, this class can be used instead so the submitted data can be sanitized to prevent well known security attacks like cross-site scripting and SQL injections.

It may also check whether magic quotes option is enabled and eventually add escape slashes characters.

Picture of Nilesh Dosooye
Name: Nilesh Dosooye <contact>
Classes: 4 packages by
Country: Mauritius Mauritius

Details
This class is used througout the PCG Framework to get all data from Form. 

Code Generated from phpCodeGenie (PCG) automatically uses the RequestUtils
to get all user Data from form.

For more information, check the phpCodeGenie webpage on Sourceforge 

http://phpcodegenie.sourceforge.net/

Extract taken from the PCG Framework OverView Manual about Request Utils

Dealing with User Input using requestUtils

User input in a web application is done via HTML forms. 

PHP provides the $_POST, $_GET and $_REQUEST global variables to retrieve data from html forms 
directly.

Retrieving the data directly from these global variables could cause a security threat in your 
application though.

One can never trust user input. There can be malicious users trying to do Cross Site Scripting (XSS) 
or SQL injections hack by messing with the data. Therefore, one need to be parse the data and make
sure it is safe before passing it to your application. An example of an XSS attack would be :

e.g Let say you have a text field element, which you allow user to input data and then your display
the input data, the user could put something like

  <script> (for ;;) { alert(‘hacked’); </script> 
  
in the input text and on displaying the input data, your page would go in a infinite loop asking
the user to press on a javascript alert box forever.


Another common problem with user input is magic_quotes is turned on or off. 
When magic_quotes is turned on in your php, some characters are automatically escaped. 
While you might have it enabled on your server, you are not sure that all servers you 
are going to deploy your application to, will have the same settings. So you need to 
make sure that, you check for whether its enabled or not on the server that your application
runs on and escape your user data accordingly. It would be a big hassle to check for 
whether magic quotes is on or off each time you get a a user input. 

PCG solves these two above problems by using the requestUtils class to get form elements. 
By using a separate class to do the form retrieval, it puts that action in one central place
and easy to change. So in that class, you can add whatever sanity check you need to make. 
Currently, the requestUtils::getRequestObject($elementName) method ltrim and rtrim your input 
data, strip the html tags (this setting is configurable in applicationConstants.inc.php, 
by setting the ALLOW_HTML_TAGS_IN_POST_GET_REQUESTS constant to true or false) and if 
magic_quotes is not enabled, addslashes to the data before returning to the client.
 
 
Usage example

Let’s say you have a form

HTML FORM
<FORM NAME=”nileshForm” METHOD=”POST” ACTION=”test.php”>
UserInput : <input type=”text” name=”userInput” value=””>
</FORM>

Instead of using <? $thisUserInput = $_POST[‘userInput’]; ?> to get that form element, we will use the code below. It will perform the same action as using the $_POST, but it will also do sanity check on the data input by user. You can add your own additional sanity checks to the getRequestObject method if you need to in one central place.

PHP SCRIPT
<?
	$thisUserInput = requestUtils::getRequestObject('userInput');
?>
  Files folder image Files  
File Role Description
Accessible without login Plain text file example.php Example example of requestUtils Usage
Accessible without login Plain text file README.txt Doc. Documentation and Class Usage
Plain text file requestUtils.class.php Class the reqiestUtils Class

 Version Control Reuses Unique User Downloads Download Rankings  
 0%1
Total:2,359
This week:0
All time:1,590
This week:881Up
 User Ratings  
 
 All time
Utility:75%StarStarStarStar
Consistency:81%StarStarStarStarStar
Documentation:61%StarStarStarStar
Examples:65%StarStarStarStar
Tests:-
Videos:-
Overall:58%StarStarStar
Rank:1319