Robert1995 Posted January 7, 2012 Report Posted January 7, 2012 <?phpclass Model_Sanitize{ /** * This is core functionality for Public Static SanitizeArray */ private static function cleanArray($to_clean , $ignore_params = array()){ if(!empty($to_clean)){ foreach($to_clean as $k=>$entry){ if(is_array($entry)){ $to_clean[$k] = self::cleanArray($entry , $ignore_params); } elseif(is_string($entry)) { if(in_array($k , $ignore_params)){ $to_clean[$k] = $entry; } else { $to_clean[$k] = htmlentities($entry); $to_clean[$k] = str_replace("'" , "'" , $to_clean[$k]); $to_clean[$k] = str_replace('"' , """ , $to_clean[$k]); } } } } return $to_clean; } /** * Does htmlentities for each array element . It's is Multidimensional array * It Still Works accept $ignore_params . use the key of the array to not sanitize that. * @param $to_clean - $type array * @param $ignore_params - $type array (OPTIONAL) * @return @array */ public static function sanitizeArray($to_clean , $ignore_params = array()){ return is_array($to_clean) ? self::cleanArray($to_clean , $ignore_params) : array(); }}if(isset($_POST) && !empty($_POST)){ $_POST = Model_Sanitize::sanitizeArray($_POST);}Automatic $_POST sanitize cu $ignore_params , poate aveti nevoie pentru un text-editor gen nicEdit sa ignorati un parametru Quote
totti93 Posted January 7, 2012 Report Posted January 7, 2012 (edited) Presupun ca ai luat in serios `test`-ul lui tex pentru injectorteam Edited January 7, 2012 by totti93 Quote
aelius Posted January 7, 2012 Report Posted January 7, 2012 (edited) Merci, e super util. (intrebasem pe injectorteam de curiozitate, oricum sunt convins ca nu stie ce se intampla in spatele unei aplicatii web)PS: Normal ar trebui oarece trim/stripslashes/mysql_real_escape_string pe acolo, sau nu?! Edited January 7, 2012 by aelius Quote
Robert1995 Posted January 7, 2012 Author Report Posted January 7, 2012 (edited) PS: Normal ar trebui oarece trim/stripslashes/mysql_real_escape_string pe acolo, sau nu?!Eu cand salvez in baza de date folosesc $this->_db->quoteInto , e o functie pentru Zend db . Oricum e foarte usoara extinderea scriptului acesta de sanitize presupun,fiecare poate sa il adapteze dupa cum doreste.Functia aceea $this->_db->quoteInto , se bazeaza pe : , aceasta apartine de zend /** * Quote a raw string. * * @param string $value Raw string * @return string Quoted string */ protected function _quote($value) { if (is_int($value)) { return $value; } elseif (is_float($value)) { return sprintf('%F', $value); } return "'" . addcslashes($value, "\000\n\r\\'\"\032") . "'"; } public function quote($value, $type = null) { $this->_connect(); if ($value instanceof Zend_Db_Select) { return '(' . $value->assemble() . ')'; } if ($value instanceof Zend_Db_Expr) { return $value->__toString(); } if (is_array($value)) { foreach ($value as &$val) { $val = $this->quote($val, $type); } return implode(', ', $value); } if ($type !== null && array_key_exists($type = strtoupper($type), $this->_numericDataTypes)) { $quotedValue = '0'; switch ($this->_numericDataTypes[$type]) { case Zend_Db::INT_TYPE: // 32-bit integer $quotedValue = (string) intval($value); break; case Zend_Db::BIGINT_TYPE: // 64-bit integer // ANSI SQL-style hex literals (e.g. x'[\dA-F]+') // are not supported here, because these are string // literals, not numeric literals. if (preg_match('/^( [+-]? # optional sign (?: 0[Xx][\da-fA-F]+ # ODBC-style hexadecimal |\d+ # decimal or octal, or MySQL ZEROFILL decimal (?:[eE][+-]?\d+)? # optional exponent on decimals or octals ) )/x', (string) $value, $matches)) { $quotedValue = $matches[1]; } break; case Zend_Db::FLOAT_TYPE: // float or decimal $quotedValue = sprintf('%F', $value); } return $quotedValue; } return $this->_quote($value); } Edited January 7, 2012 by Robert1995 Quote
