php - Function to check GET parameter -

-

i have function security check on parameter (i'm not author):

function get($name = null, $value = false) {     $content = (!empty($_get[$name]) ? trim($_get[$name]) : (!empty($value) && !is_array($value) ? trim($value) : false));     if (is_numeric($content))         return preg_replace("@([^0-9])@ui", "", $content);     else if (is_bool($content))         return ($content ? true : false);     else if (is_float($content))         return preg_replace('@([^0-9\,\.\+\-])@ui', "", $content);     else if (is_string($content)) {         if (filter_var($content, filter_validate_url))             return $content;         else if (filter_var($content, filter_validate_email))             return $content;         else if (filter_var($content, filter_validate_ip))             return $content;         else if (filter_var($content, filter_validate_float))             return $content;         else             return preg_replace('@([^a-za-z0-9\+\-\_\*\@\$\!\;\.\?\#\:\=\%\/\ ]+)@ui', "", $content);     } else false; }

so whenever i'm fetching parameter values call function. however, if parameter string containing special characters åäö replaced. example, string detta är en annons have following output: detta r en annons.

since i'm sure it's string variable it's filter_var function strips special chars. how should rewrite above script keep special characters in string?

edit

okay, above script thrash. i've been looking @ alternatives. if purpose insert parameter value database, filter_input(input_get,"link",filter_sanitize_string); sufficient clean variable malicious code?

strictly answering question, problem lay in preg_replace. in original version, characters other ones explicitly listed replaced "", removing them input. example, "2^8" become "28", because ^ not allowed.

to accept character other "invisible control characters , unused code points", replace preg_replace in function this:

return preg_replace('@(\p{c})@ui', "", $content);

working implementation.

edit

responding op edit, filter_input great way remove potentially dangerous input , may want in specific use case. however, please understand there isn't magic bullet solution. have @ this related q&a.

at rate, typically want check user input conforms storage requirements (type, length, etc), use prepared statements insert database, use output escaping prevent xss attacks. pseudo-code goes this:

$foo = isset($_get['foo') ?? false; if (is_string($foo) && 0 < strlen($foo) && strlen($foo) < 255) {     $sth = $dbh->prepare('insert `table` values (?)');     $sth->execute(array($foo));     echo htmlentities($foo); } else {     echo 'error: foo not valid'; }

Comments

Post a Comment

Popular posts from this blog

Fail to load namespace Spring Security http://www.springframework.org/security/tags -

-
i have problem namespace of spring security on xhtml page. don't understand why can't load uri, , have following issue: whitelabel error page application has no explicit mapping /error, seeing fallback. tue jul 21 16:58:12 utc 2015 there unexpected error (type=not found, status=404). please need help! possible uri has been changed? best regards you using incorrect namespace url. correct url http://www.springframework.org/schema/security the error page seeing spring source website since not recognize url. try visiting http://www.springsource.org/security/tags in browser update : spring security tags used in jsp page correct tag lib declaration is: <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
Read more

sql - MySQL query optimization using coalesce -

-
can explain me why second query faster first? (first 1 takes around 40 seconds, second 1 less 0.1) select releases.feature_code, releases.platform_id, version, release_date, general_available, uri, filesize, display_name, feature_name.full_name, if ((select exists(select 1 release_exceptions releases.feature_code = release_exceptions.feature_code , releases.platform_id = release_exceptions.platform_id , releases.version = release_exceptions.version) = 1), 1, 0) release_exceptions releases left outer join platform using(platform_id) left outer join feature_name using(feature_code) order version desc; ~~~ query 2 ------------------ ~~~ select feature_code, version, release_date, general_available, platform_id, uri, filesize, display_name, feature_name.full_name, coalesce(release_exceptions, 0) release_exceptions mus.releases left outer join ( select distinct feature_code, version, platform_id, 1 release_exceptions mus.release_exceptions ) release_exceptions using ...
Read more

unity3d - Unity local avoidance in user created world -

-
i'm using unity3d networked multiplayer online game have large complex 3d terrain scene forest, trees, cliff, hills, mountains, bounders, etc. players can build structures sort of minecraft, , put them anywhere in scene, or move them around anytime. aside human controlled players, there automated ai players , objects animals roaming around scene following path. the problem how make these automated ai players , animals, able navigate around static , dynamic player created structures, because path follow can blocked player created structures, or other players , other ai objects, cliffs etc. have find away around them or on track if tumble down off high cliff example. so made navmesh , used navagents, takes care of static, non moving objects, how make ai players navigate around each other , dynamic structures created players can number in hundreds? i thought of adding navmeshobstacle everything, result in being attached hundreds of objects since user created structures b...
Read more