I just wanted a more elegant automated solution to my form validation. On PHP.net I found a cool class
script from the SQL injection page. Here it is the code (modified). It's suppose to go through my $_POST
array and apply the validation function.
class secure
{
function secureSuperGlobalPOST($v)
{
$_POST[$v] = htmlspecialchars(stripslashes($_POST[$v]));
$_POST[$v] = str_ireplace("script", "blocked", $_POST[$v]);
$_POST[$v] = mysql_escape_string($_POST[$v]);
return $_POST[$v];
}
function secureGlobals()
{
// This was originally array_walk; I'm just trying to figure out what's up...
array_map('secureSuperGlobalPOST', $_POST);
}
}
// This last line is attempt at using it. This was not provided with the code.
开发者_如何学Pythonsecure::secureGlobals();
So then I get this error:
_"Warning: array_map() expects parameter 1 to be a valid callback, function 'secureSuperGlobalPOST' not found or invalid function name in C:\wamp\www\mysite\register.php on line 19"_
I have been looking forever, but I cannot figure out why it wouldn't be valid, not found (it's in the same class), or why it would be invalid name (it's the same exact name!).
Declare secureSuperGlobalPOST as static and use:
return array_map('self::secureSuperGlobalPOST', $_POST);
or:
return array_map(array('self','secureSuperGlobalPOST'), $_POST);
If you don't want secureGlobalPOST to be a static method:
return array_map(array('secure','secureSuperGlobalPOST'), $_POST);
But you must still catch the return value in your last statement.
$result=secure::secureGlobals();
That's because secureSuperGlobalPOST
is not a global function.
You have to either take it out of the class, or make it a static method and use:
array_map('secure::secureSuperGlobalPOST', $_POST);
By the way you are not using callbacks the right way. A better way would be:
function secureVar($v)
{
return mysql_escape_string(htmlspecialchars(
str_ireplace("script", "blocked", $v)));
}
Then call
array_walk($_POST, 'secure::secureVar');
array_walk($_GET, 'secure::secureVar');
So you get to re-use code.
Another thing I want to point out is that this is not the proper way to avoid XSS. This is the lazy way. You shoudn't do that. What if your users entered a text that said: "I read your script"? As it is, it would get converted into "I read your blocked".
精彩评论