How to Prevent Attacks With Proper Input Handling (Part 2)

Part 2 of this article is aimed at demonstrating how to code a accept-list validation class in PHP. We will start with a classic example of request routing where a HTTP GET request will include a “page=” parameter which will instruct the server which page the user is requesting and an empty “?action” parameter which will instruct the sever-side application which HTTP POST data to expect in the request. However, this model of input validation can be modified to handle other forms of HTTP GET and POST attribution to specify the data request.

Let’s start with the basics of compiling the accept-lists for GET and POST. This is specified as a config file as shown below. The configuration is setup as constants that hold arrays. This does a couple things. Firstly, it makes the values global and they can be access from anywhere in the application code. Secondly, it prevents them from being altered which adds some limited security to the application.

This method also allows the values to be looped through when inspecting the GET and POST arrays. Each expected value is contained in a sub-array. The sub array’s first value is the string that must match the attribute or key of the GET or POST item. The second value is a string that specifies a data-type so that the sanitizer class will know how to evaluate the item. The third value in the array includes additional information on how to handle each specific type of data.

Each array held in the “ALLOWED_POST_PAIRS” constant array first specifies a matching GET flag (parameter with no value) that corresponds with the expected fields in the POST data. This flag would be set in the “action” parameter in a HTML form tag, or specified directly in the GET line data if you are passing POST form data by API.

<?php 
/*
sanitizer_config.php
*/

// This file contains two sections, ALLOWED_GET_PAIRS and ALLOWED_POST_PAIRS.
// Each section defines allowed values for the data which may be passed through those 
// data request methods.

define("ALLOWED_GET_PAIRS", array(
  array("page", "string_list", array("login", "register")),
  array("register", "none"),
  array("login", "none")
));

// All $_POST line key/value pairs allowed in the app are validated using following
// definitions.  First the required match to a $_GET value is defined.
// Then all $_POST pair values that are allowed are defined with a type flag
// and specifications to define how to validate each $_POST item.
// Format array("key_name", "type", array(value1, value2, etc;))
// Types can be same as ALLOWED_GET_PAIRS
define("ALLOWED_POST_PAIRS", array(

  // Login Form get flag
  // TODO: make modular depending on login credential systems allowed in config.
  // For example username may or may not be configured into.
  // Facebook login buttons may or may not be allowed in as well.
  // This may require building an array before defining the constant
  array("login", array(
      // key, type, array of requirements (eg. max/min length) if required
      array("user_email", "email", false),
      array("user_password", "password"),
      array("submit", "string_length", array(1,15)),
    ))

  // Registration Form GET flag
  array("register", array(
      // key, type, array of requirements (eg. max/min length) if required
      array("user_name", "string_length", array(5,25)),
      array("user_password", "password"),
      array("user_password_repeat", "password"),
      array("user_email", "email", false),
      array("submit", "string_list", array("Register")),
    )),

));

?>

Here is a comment section that can be included in the file that specifies all the parameters for configuring the setup for your sites specific request method fields.

// All GET line key/value pairs allowed in the app are validated using following
// data-types. Each sub-array in the ALLOWED_GET_PAIRS and ALLOWED_POST_PAIRS arrays
// stores entries in the following format:
// array("key_name", "type", additional parameters).
// "type" can be one of the following:
// string_list : the parameter value is an array of allowed strings. eg. array('allowed_value1', 'allowed_value2').
// string_length : the parameter value is an array of min/max length that the string can be eg. array(6, 100).
// string_length_wysiwyg : converts linebreaks into <br> tags, and escapes all tags.
// string_special_chars_length : the parameter value is an array of min/max length and special characters that may be included in the string
// string_tags : tags are not stripped from input but escaped
// string_alphanumeric_length: the parameter value is an array of min/max length that the string can be eg. array(6, 100).
// int_length : the parameter value is an array of min/max length that the int can be eg. array(1,4).
// int_range : the parameter value is an array of min/max integer range that the int can be eg. array(1,4).
// array_string_list : the parameter value specifies to allow an array as the value for which each item must be an allowed strings. eg. array('allowed_value1', 'allowed_value2').
// none : the parameter value of GET/POST must be NULL to pass validation. Value is not required
// url : the parameter value is boolean whether to allow empty. not required. default is false
// youtube_url : returns only the watch code of the url. The value is boolean whether to allow empty. not required. default is false
// email: the parameter value is boolean whether to allow empty. not required. Default is false
// bool: the parameter value is not required.
// username: the parameter value is not required. Validated to be alphanumeric.
// password: the parameter value is not required. Validated to be alphanumeric with a special character list.
// date: the parameter parameter value is boolean whether to allow empty. Not required. Default is false
// datetime: the parameter value is boolean whether to allow empty. Not required. Default is false

The controller code below can be included early in your process flow. It includes the configuration files, including a login configuration file for this simple example, instantiates the sanitizer class object, and then validates or sanitizes the $_GET and $_POST arrays, returning scoped variables. The validateGetInput() function will return False if the data does not strictly validate to the expected values. However, the santizePostInput() function will clean the data and return the array with an additional “errors” parameter attached with details on the errors found as an array of error messages. This allows you to handle the errors individually by severity. The $_GET and $_POST arrays are also global by nature and therefore accessible everywhere in the subsequent code of the application. So, to mitigate this security vulnerability, the $_GET and $_POST globals are returned as scoped PHP variables. They must then be passed explicitly to each function in the application. For applications that will not allow the $_GET and $_POST to operate as scoped variables, you can simply return to the $_GET and $_POST variables respectively.

<?php

/**
* Sanitizer Initialization Controller
*
***/

// Validate and / or Sanitize incoming GET and POST data.
try{

  // Load the config file for sanitizer
  require_once "sanitizer_config.php";
  // Load the config file for login config
  require_once "sanitizer_config.php";

  // Require and instantiate sanitizer
  require_once "Sanitizer.class";
  $sanitizer = new Sanitizer();

  // Pass $_GET into function to verify get line input
  $get_data = $sanitizer->validateGetInput();
  // Pass $_POST into a function to verify and virus scan
  $post_data = $sanitizer->sanitizePostInput();

  // If $_POST data fails to validate
  if(gettype($get_data) != "array" || isset($post_data['errors'])){

    // You can raise errors or exceptions here
    // Or alternatively call a function to record
    // the malformed content, etc.
    print_r($get_data);
    print_r($post_data);
    die("Sanitization failed...");

  }else{

    // Continue with application flow
    print("Input data validation successfull!");

  }

?>

Finally, the Sanitizer class is included below, which contains the functions required to validate and sanitize the input.

<?php

/**
 * Sanitizer Class
 * Vanilla Pancakes Web-App Framework
 *
 ***/

// This class validates $_GET and $_POST data for attribute/value integrity.
// bytes from all input.  Also, email addresses, passwords, url, and usernames
// are evaluated and validated.  All functions are public.  Anamolies and errors
// are logged using the recordDirtyStrings()function, and virusScan is used to
// scan file uploads and change permissions / delete files accordingly.

class Sanitizer
{

    /**
     * This is a function which validates an `input` string according to `type` and `limits`.
     * A boolean is returned if the input passes the validation.
     */
    public function validateInput($input, $type, $limit)
    {

        // Debugging options to print the input variables
        //print "<br>".$type." ".$input."<br>";
        //var_dump($limit);
        //print "<br>";

        // $input string must first pass FILTER_FLAG_STRIP_LOW & FILTER_FLAG_STRIP_HIGH,
        // and backticks and strip_tags.  If this limit is not passed, then `false` is returned immediately.
        $input_filtered = filter_var($input, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
        $input_filtered = filter_var($input_filtered, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
        $input_filtered = filter_var($input_filtered, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_BACKTICK);
        $input_filtered = strip_tags($input_filtered);
        if($input != $input_filtered) return false;

        // `string_list` expects $limit as an array of string values.
        // if $input is in the list of values, `true` is returned, else `false`.
        if($type == "string_list"){
          if(in_array($input, $limit)) return true;
          else return false;

        // `string_length` expects $limit as an array of int.  These int are used
        // to validate $input is within the expected legnth range.
        }elseif($type == "string_length"){
          //print "<br>".strlen($input)."<br>";
          // validate the string is only alpha characters and returns false if it fails.
          if(!ctype_alpha($input)) return false;
          //validate $input as being within $limit values
          if(strlen($input) >= $limit[0] && strlen($input) <=$limit[1]) return true;
          else return false;

        // TODO: fix this to check for regex special characters
        // `string_special_chars_length` expects $limit as an array of two int and one of special characters to allow.
        // These int are used to validate $input is within the expected legnth range.
        }elseif($type == "string_special_chars_length"){
          //var_dump($limit);
          //print "<br>".$input."<br>";
          // Build a regex string
          $pattern_base = "a-Z0-9";
          foreach($limit[2] as $character){
            $pattern_base = $pattern_base.$character;
          }
          // validate the string is only alpha numeric characters
          // and special characters in $limit[2] returns false if it fails.
          if(true){
            //validate $input as being within $limit values
            if(strlen($input) >= $limit[0] && strlen($input) <= $limit[1]) return true;
            else return false;
          }else return false;

        // `int_length` expects $limit as an array of int.  These int are used to
        // validate $input is an int and is within the expected length range.
        }elseif($type == "int_length"){
            //print "<br>".strlen($input)."<br>";
            // validate $input as only integer characters
            if(!ctype_digit($input)) return false;
            // validate $input as being within $limit values
            if(strlen($input) >= $limit[0] && strlen($input) <= $limit[1]) return true;
            else return false;

        // `int_range` expects $limit to be an array of int.  These int are used to
        // validate the $input is an int between the specific values of $limit
        }elseif($type == "int_range"){
            //print "<br>".$input."<br>";
            // validate $input as only integer characters
            if(!ctype_digit($input)) return false;
            // validate that $input is between the min and max values sent in $limit array.
            if(!filter_var($input, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$limit[0], "max_range"=>$limit[1])))) return false;
            else return true;

        // `none` are only valied when the $value is empty string.
        }elseif($type == "none"){
            if(strlen($input) === 0) return true;
            else return false;

        // If filter type is string_alphanumeric_length filter $input and return only string.
        // $limit is specified and string must be alphanumeric
        }elseif($type == "string_alphanumeric_length"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // validate the string is only alpha characters and returns false if it fails.
            if($input != preg_replace("#[^A-Za-z0-9]#", '', $input)) return false;
            //validate $input as being within $limit values
            if(strlen($input) >= $limit[0] && strlen($input) <= $limit[1]) return true;
            else return false;
          }else return false;
        }

    }

    /**
     * This is a function which sanitizes an `input` according to `type` and `limits`.
     * The `input` is returned back sanitized meaning stripped of low unicode bytes or
     * other violations, unless certain failures occur, then `false` is returned.
     * Certain types of violation are logged for security purposes.
     *
     */
    public function sanitizeInput($type, $input, $limit, $system_db_connection)
    {
        // $input string must first pass FILTER_FLAG_STRIP_LOW & if the type
        // does not allows tags, then strip_tags.  If these two filters are
        // not passed, then `false` is returned immediately.
        // TODO: and the violation is logged.
        // FILTER_FLAG_STRIP_HIGH is not applied since some user data (comments, etc.)
        // may contain other languages.  Finally, some types of filter will return
        // an array with the sanitized falue and an error code/message.

        // If the $type is `string_length_wysiwyg` the process first to avoid backticks being filtered
        if($type == "string_length_wysiwyg"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // Check the length of the string
            if(strlen($input) >= $limit[0] && strlen($input) <= $limit[1]){
              $input = filter_var($input, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_LOW);
              return $input;
            }else return array("error", "invalid_length", $input);

          }else return array(NULL, "type_error");
        }

        // First filter the low byte values and report on each step to the recordDataViolation() function.
        $input_filtered = filter_var($input, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
        if($input !== $input_filtered){
          //print strlen($input)." - ".strlen($input_filtered);
          //$input = str_split($input);
          //foreach($input as $char){
            //print $char;
          //}
          //print "<br>";
          //$input_filtered = str_split($input_filtered);
          //foreach($input_filtered as $char){
            //print $char;
          //}
          //unset($input);
          $input = $input_filtered;
          $this->recordDataViolation("LOW_BYTE_VIOLATION", $system_db_connection);
          //return array(NULL, "malicious");
        }

        $input_filtered = filter_var($input, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_BACKTICK);
        if($input !== $input_filtered){
           //unset($input);
           $input = $input_filtered;
           $this->recordDataViolation("BACKTICKS_STRIPPED", $system_db_connection);
           //return array(NULL, "malicious");
         }
        // If type not allow tags, then strip tags as well.
        if($type != "string_tags") $input_filtered = strip_tags($input);
        // If there is a violation, then record the violation and return NULL
        if($input !== $input_filtered){ unset($input); $this->recordDataViolation("TAGS_VIOLATION", $system_db_connection); return array(NULL, "malicious"); }

        // If filter type is int $input must be string. Check that it is only digits
        // filter and return the string. No $limit is specified.
        if($type == "int"){
          // First type-check the variable type passed in
          if(gettype($input) == "integer" || gettype($input) == "string"){
            // Use the filter out "+" and "-"
            // then filter FILTER_SANITIZE_NUMBER_INT
            $input_filtered = str_replace(array("+", "-"), "", $input);
            $input_filtered = filter_var($input_filtered, FILTER_SANITIZE_NUMBER_INT);
            if($input_filtered == $input) return $input;
            else return array(NULL, "non_int");
          }else return array(NULL, "type_error");

        // If filter type is string_alphanumeric_length filter $input and return only string.
        // $limit is specified and string must be alphanumeric
        }elseif($type == "bool"){
          if(gettype($input) == "string"){
            if($input == "1" || $input == "0") return $input;
            else return array(NULL, "non_bool");
          }elseif(gettype($input) == "integer"){
            if($input == 1 || $input == 0) return $input;
            else return array(NULL, "non_bool");
          }else return array(NULL, "type_error");

        // If filter type is string_alphanumeric_length filter $input and return only string.
        // $limit is specified and string must be alphanumeric
        }elseif($type == "string_alphanumeric_length"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // validate the string is only alpha characters and returns false if it fails.
            if($input != preg_replace("#[^A-Za-z0-9 ]#", '', $input)) return array($input, "non_alphanumeric");
            // validate $input as being within $limit values
            if(strlen($input) >= $limit[0] && strlen($input) <= $limit[1]) return $input;
            else return array("error", "invalid_length", $input);
          }else return array(NULL, "type_error");

        // `int_length` expects $limit as an array of int.  These int are used to
        // validate $input is an int and is within the expected length range.
        }elseif($type == "string_alphanumeric"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // Only alphanumeric values allowed. return the preg_replace value
            $input_filtered = preg_replace("#[^A-Za-z0-9 ]#", '', $input);
            // If the values match perfectly, then return, else return array with
            // error message
            if($input_filtered == $input) return $input;
            else return array(NULL, "non_alphanumeric");
          }else return array(NULL, "type_error");

        // Sanitize url using FILTER_SANITIZE_URL
        }elseif($type == "url"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            if($input == "" && $limit) return $input;
            else{
              // Filter the url and check if still same.  If not, then return NULL
              $input_filtered = filter_var($input, FILTER_SANITIZE_URL);
              if(!$input_filtered == $input) return array("error", "invalid_url_char", $input);
              elseif(!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$input))
                return array(NULL, "invalid_url_syntax");
              else return $input;
            }
          }else return array(NULL, "type_error");

        // Checks if valid youtube url, then returns only the watch code
        }elseif($type == "youtube_url"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // If the input is empty
            if($input == "") return $input;
            // If a url has been submitted
            else{
              // Filter the url and check if still same.  If not, then return NULL
              $input_filtered = filter_var($input, FILTER_SANITIZE_URL);
              if(!$input_filtered == $input) return array("error", "invalid_url_char", $input);
              elseif(!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$input)) return array(NULL, "invalid_url_syntax");
              // URL is valid return only watch code.
              else{
                $temp_array = [];
                parse_str(parse_url($input, PHP_URL_QUERY), $temp_array);
                $input = $temp_array['v'];
                // Check if the url is youtube.com or youtu.be and remove
                //if(strpos($input, ".com") !== false) $input = explode(".com",$input)[1];
                //elseif(strpos($input, ".be") !== false) $input = explode(".be",$input)[1];
                // If `/watch` and/or `?` is in the url then remove it
                //if(strpos($input, "/watch") !== false) $input = str_replace("/watch", "", $input);
                //if(strpos($input, "?") !== false) $input = str_replace("?", "", $input);
                // Convert the remaining part of the string into array of Variables
                //$temp_array = [];
                //print "First: ".$input;
                //parse_str($input, $temp_array);
                // Extract the `v` value from the array
                //$input = $temp_array['v'];
                //var_dump($temp_array);
                //print "Final: ".$input;
                // Return the video ID
                return $input;
              }
            }
          }else return array(NULL, "type_error");

        // Check username is only characters and numbers within size requirements
        }elseif($type == "username"){

          // Require the login_config.php file to validate accoring to config
          require_once "recipe_book/pancake_recipes/login_config.php";

          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // TODO: Check if non-english letters should be allowed for username
            // and how to change filter.
            // If non-accepted chars have been filtered, then return with
            if($input != preg_replace("#[^A-Za-z0-9_@.]#", '', $input)) return array("error", "username_invalid_characters", $input);
            // If all chars ok, then check length
            elseif(strlen($input) > MAX_USER_NAME_LENGTH) return array("error", "username_length_too_long", $input);
            elseif(strlen($input) < MIN_USER_NAME_LENGTH) return array("error", "username_length_too_short", $input);
            // If no problems return $input
            else return $input;
          }else return array(NULL, "type_error");

        // check for valid email address using known length limits and FILTER_SANITIZE_EMAIL
        }elseif($type == "email"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            if($input == "" && $limit) return $input;
            else{
              // First check the length of the email address
              if(strlen($input) > 254) return array("error", "invalid_email_length");
              // Finally check $input against valid email syntax
              if(filter_var($input, FILTER_VALIDATE_EMAIL)) return $input;
              else return array("error", "invalid_email_syntax", $input);
            }
          }else return array(NULL, "type_error");

        // check for valid password.  Specifications for passwords are included in
        // the recipe_book/login_config.php file and specify length limits
        // as well as password characters required.
        // types are:
        // "none" : no special requirements but special character list is accepted
        // "alphanumeric" : must have only numbers and letters
        // "special_chars" : must include at least one allowed special character
        }elseif($type == "password"){

          // Require the login_config.php file to validate accoring to config
          require_once "recipe_book/pancake_recipes/login_config.php";

          // First type-check the variable type passed in
          if(gettype($input) == "string"){

            // Filter passwor for length limits in login_cofig.php
            if(strlen($input) > MAX_PASSWORD_LENGTH) return array("error", "password_length_too_long", $input);
            elseif(strlen($input) < MIN_PASSWORD_LENGTH) return array("error", "password_length_too_short", $input);

            // Filter password for having invalid characters in it.
            // TODO: REGEX needs to be checked.
            if(REQUIRE_PASSWORD_TYPE == "none"){
              return $input;
            }elseif(REQUIRE_PASSWORD_TYPE == "alphanumeric"){
              if($input != preg_replace("#[^A-Za-z0-9 ]#", '', $input)) return array("error", "password_not_alphanumeric", $input);
              else return $input;
            }elseif(REQUIRE_PASSWORD_TYPE == "special_chars"){
              // Build string for regex with spcial chars from ALLOWED_PASSWORD_SPECIAL_CHARACTERS
              $regex_char_string = "#[^A-Za-z0-9";
              foreach(ALLOWED_PASSWORD_SPECIAL_CHARACTERS as $char) $regex_char_string .= "\\".$char;
              $regex_char_string .= ']#';
              //print "Regex char_string: ".$regex_char_string;
              // Put password into container to check if filter changes anything
              // If non-accepted chars have been filtered, then return with error message
              if($input != preg_replace($regex_char_string, '', $input)) return array("error", "password_invalid_characters", $input);
              // TODO: check to make sure that ther is at least one special character in the password
              // elseif();
              // If no problems return $input
              else return $input;
            }
          }else return array(NULL, "type_error");

        // `none` are only valied when the $value is empty string.
        // if not empty string, assume user has maliciously enjected data
        }elseif($type == "none"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            if(strlen($input) == 0) return $input;
            else return NULL;
          }

        // `string_list` expects $limit as an array of string values.
        // if $input is in the list of values, `true` is returned, else `false`.
        // failure assumes user has maliciously injected data.
        }elseif($type == "string_list"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            if(!in_array($input, $limit)){
              return NULL;
            }else return $input;
          }else return array(NULL, "type_error");

        // `string_length` expects $limit as an array of ints.  These int are used
        // to validate $input is within the expected legnth range.  Since maxlength
        // is used on the HTML page, failure assumes user has maliciously injected data.
        }elseif($type == "string_length"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // Next check that min and max value are valid in $input
            if(strlen($input) >= $limit[0] && strlen($input) <= $limit[1]) return $input;
            else return substr($input,0,$limit[1]);
          }else return array(NULL, "type_error");

        // `int_length` expects $limit as an array of int.  These int are used to
        // validate $input is an int and is within the expected length range.
        }elseif($type == "int_length"){
          // First type-check the variable type passed in
          if(gettype($input) == "integer" || gettype($input) == "string"){
            // Use the filter out "+" and "-"
            // then filter FILTER_SANITIZE_NUMBER_INT
            $input_filtered = str_replace(array("+", "-"), "", $input);
            $input_filtered = filter_var($input_filtered, FILTER_SANITIZE_NUMBER_INT);
            // If it was not only numbers then return with message
            if(!$input_filtered == $input) return array(NULL, "non_int");
            // Check int for beign too long or to short by number of digits
            elseif(mb_strlen($input) >= $limit[0] && mb_strlen($input) <= $limit[1]) return $input;
            else return array("error", "invalid_length", $input);
          }else return array(NULL, "type_error");

        // `int_range` expects $limit to be an array of int.  These int are used to
        // validate the $input is an int between the specific values of $limit
        }elseif($type == "int_range"){
          // First type-check the variable type passed in
          if(gettype($input) == "integer" || gettype($input) == "string"){
            if(!ctype_digit($input)) return array(NULL, "type_error");
            // validate that $input is between the min and max values sent in $limit array.
            elseif(!filter_var($input, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$limit[0], "max_range"=>$limit[1])))) return array(NULL, "range_error");
            else return $input;
          }else return array(NULL, "type_error");

        // `string_comment` expects $limit to be an array of int.  These int are used to
        // validate the $input's length is within range.  `string_comment` also requires
        // having html entitiles escapted for the database.
        }elseif($type == "string_html"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // Escape the html entities that are int string

            // Check int for beign too long or to short by number of characters
            if(strlen($input) > $input[1]) return array("error", "invalid_length", $input);
            elseif(strlen($input) < $input[0]) return array("error", "invalid_length", $input);
          }else return array(NULL, "type_error");

        // `string_tags` expects $limit to be an array of int.  These int are used to
        // validate the $input's length is within range.  `string_tags` also requires
        // having html entitiles escapted for the database and code tags may be present.
        // the use of htmlpurifier for tag whitelist and sanitization filter.
        // TODO:
        }elseif($type == "string_tags"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // Escape the html entities that are int string

            // Check int for beign too long or to short by number of characters
            if(strlen($input) > $input[1]) return array("error", "invalid_length", $input);
            elseif(strlen($input) < $input[0]) return array("error", "invalid_length", $input);
          }else return array(NULL, "type_error");

      // validate the input of a date string.  The value must be YYYY-MM-DD.
      // $limit is boolean to allow empty string or not.
      }elseif($type == "date"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // Regex the check for proper date format
            if($input == "" && $limit == false) return array("error", "empty_not_allowed", "");
            elseif($input == "" && $limit == false) return $input;
            else{
              $regex_char_string = "#[0-9]{4}-[0-9]{2}-[0-9]{2}#";
              if(preg_match($regex_char_string, $input)) return $input;
              else return array("error", "invalid_date_format", $input);
            }
          }else return array(NULL, "type_error");

      // validate the input of a datetime string.  The value must be 'YYYY-MM-DD h:m:s'
      }elseif($type == "datetime"){
          // First type-check the variable type passed in
          if(gettype($input) == "string"){
            // Regex the check for proper date format
            if($input == "" && $limit == false) return array("error", "empty_not_allowed", "");
            else{
              $regex_char_string = "#[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{1,2}:[0-9]{2}:[0-9]{2}#";
              if(preg_match($regex_char_string, $input)) return $input;
              else return array("error", "invalid_datetime_format", $input);
            }
          }else return array(NULL, "type_error");

      }
    }

    /**
     * checks get line input validation and modifies the $_GET array
     */
    public function sanitizeGetInput()
    {
        //print "<br>GET Data: ";
        //var_dump($_GET);
        //print "<br><br>";

        //loop through each get and validate or reject the get key/value pair
        foreach($_GET as $key => $value){
            // set a flag to determine if the $_GET key was found or not
            $get_key_found = false;
            // NOTE: This is set to allow $GET values for foriegn keys
            $get_value_valid = true;
            // find the validation requirements from the constant ALLOWED_GET_PAIRS
            // this file is found in recipe_book/pancake_recipes/anitizer_allowed_values.php
            foreach(ALLOWED_GET_PAIRS as $get_pair){
              // if the $key is found then it has been validated
              // $get_pair[0] = expected key, $get_pair[1] = type of validation, $get_pair[2] = limits
              if($get_pair[0] === $key){
                // set the found flag to `true`
                $get_key_found = true;
                // sets the limit to be passed to the function as NULL if none exists.
                // `none` is the only type of validation that does not require a value
                if($get_pair[1] == 'none') $get_pair[2] = NULL;
                // pass `value`, `type`, and 'limit` into into validateInput function for validation
                // returns `true` if valid and `false` if rejected
                $get_value_valid = $this->validateInput($value, $get_pair[1], $get_pair[2]);
                // Break the foreach since get value was found
                break;
              }
            }
            // Check that the value passed validation
            // NOTE: This is allowing foreign $GET keys.
            if(!$get_value_valid){
                // Raise Pancakes exception and log invalid $_GET data found.
                trigger_error("Pancake Sanitizer Notice: Malformed _GET input was found: ".$key."=".$value.". Request Routed to Error 500." , E_USER_ERROR);
                // Unset $_GET value
                unset($_GET);
                // Log the violation in system database
                // Include the class to log the error
                require_once "utensils/pancake_utensils/classes/AccessSecurity.php";
                // Call the function to
                AccessSecurity::logPageLoadViolation($system_db_connection, $server_data_array, "GET_INJECTION");
                // return get data array
                return false;

            }else{
                // Append the item onto the get_data_array
                $_GET += [$key => $value];
            }
        }
        // Unset the $_GET data
        unset($_GET);
        // Return the sanitized $_GET array to store in new array
        return $_GET;

    }

    /**
     * Checks post data for sanity and modifies the $_POST array
     */
    public function sanitizePostInput()
    {
        // Define an array to store all validated $_POST key/values
        $post_data = array();
        // Loop through each $_GET parameters (keys).
        // Upon finding a match look for matching ALLOWED_POST_PAIRS
        // item to validate all submitted $_POST
        // parameters.
        foreach($_GET as $key => $value){
          // Check each ALLOWED_POST_PAIRS to find matching key
          foreach(ALLOWED_POST_PAIRS as $post_pair){
            // If the $_GET parameter matches an ALLOWED_POST_PAIRS item
            if($post_pair[0] === $key){
              // Extract the array of allowed post values
              // from the item
              $allowed_post_pairs = $post_pair[1];
              // Since the pair has been found, break loop
              break;
            }
          }
        }

        // Loop through each $_POST and validate/sanitize.
        // Add errors to array if malformed data is found
        // eg. password that is too short/long.
        foreach($_POST as $key => $value){
          // Set a flag to determine if the $_POST parameter was found or not
          $post_key_found = false;
          // Find the validation requirements from the constant ALLOWED_POST_PAIRS
          foreach($allowed_post_pairs as $post_pair){
            // If the $key is found then it has been validated
            if($post_pair[0] == $key){
              // Set the found flag to `true`
              // to note the $_POST parameter is allowed
              $post_key_found = true;
              // Sets the limit to be passed to the function as NULL if none exists.
              // This especially for parameters that are not allowed to have a value.
              if(!isset($post_pair[2])) $post_pair[2] = NULL;
              // Check if the type allows arrays to be passed
              // This allows $_POST values that are arrays if
              // specified by the `array_string_list` type which
              if(substr($post_pair[1],0,6) == "array_"){
                // Check if value is actually an array as expected
                if(is_array($value)){
                  // Remove the substring of array off the front of type
                  // The type will then be evaluated by the remaining string
                  // as a type indicator for the sanization process
                  $post_pair[1] = substr($post_pair[1], 6);
                  // Create a temporary array to hold the
                  // parameter array items
                  $temp_post_array = [];
                  // Create variable to check if any single item fail
                  $item_failed = False;
                  // Loop through each value in the array
                  foreach($value as $item){
                    // Check if the item is valid
                    $post_item_valid = $this->sanitizeInput($post_pair[1], $item, $post_pair[2], $system_db_connection);
                    // If the $post_item is valid then append to the temp array
                    if(!is_array($post_item_valid) && !is_null($post_item_valid[0])){
                      // Push the value onto the temp array
                      array_push($temp_post_array, $post_item_valid);
                    // If one of the values failed then break
                    }else{
                      $item_failed = True;
                      break;
                    }
                  }
                  // Finally check that all passed and append
                  // temp array to the $post_item_valid
                  if($item_failed == True) break;
                  else{
                    $post_item_valid = $temp_post_array;
                  }

                // If expecting array and not then failed
                }else $post_item_valid = array(NULL, "type_error");
                // Break the foreach since key was found
                break;
              }else{
                // Sanitize $_POST value according to $post_pair match.
                // Rewrite $_POST array with changes to the data and set flags.
                // If returned value is false, then data violated rules
                $post_item_valid = $this->sanitizeInput($post_pair[1], $value, $post_pair[2], $system_db_connection);
                // Break the foreach since key was found
                break;
              }

            // Else if the $post_pair[0] is a wildcard type
            // This type accepts integers as parameter
            // and evaluates values as the specified type
            }elseif($post_pair[0] == "#" && is_numeric($key)){
              // Set the found flag to `true`
              $post_key_found = true;
              // Sets the limit to be passed to the function as NULL if none exists.
              // This especially for parameters that are not allowed to have a value.
              if(!isset($post_pair[2])) $post_pair[2] = NULL;
              // If returned value is false, then data violated rules
              $post_item_valid = $this->sanitizeInput($post_pair[1], $value, $post_pair[2], $system_db_connection);
              // Break the foreach since key was found
              break;

            // Else if the $post_pair[0] is a wildcard
            // this type accepts integers separated by dash as parameter
            // and evaluates values as the specified type
            }elseif($post_pair[0] == "#-#"){
              // Split $key into an array by "-" character
              $key_array = explode("-", $key);
              // Need to check the $key is valid
              if(is_numeric($key_array[0]) && is_numeric($key_array[1])){
                // Set the found flag to `true`
                $post_key_found = true;
                // Sets the limit to be passed to the function as NULL if none exists.
                if(!isset($post_pair[2])) $post_pair[2] = NULL;
                // If returned value is false, then data violated rules
                $post_item_valid = $this->sanitizeInput($post_pair[1], $value, $post_pair[2], $system_db_connection);
                // Break the foreach since key was found
                break;
              }
            }
          }

          // ALL VALUES HAVE BEEN SANITIZED
          // Check that the parameter and value both passed validation
          // If the data failed sanitization to the degreen that the request
          // should be dropped
          if(!$post_key_found || (gettype($post_item_valid) == "array" && is_null($post_item_valid[0]))){
              // Unset the $_POST variable
              unset($_POST);
              return false;
          // If the $_POST['key'] is returned as "error"
          // The sanitization was returned with errors
          }elseif(gettype($post_item_valid) == "array" && $post_item_valid[0] == "error"){
            // Create "error" in $_POST if not exist already and append the error.
            if(!isset($_POST['errors'])) $_POST['errors'] = array($post_item_valid[1]);
            // Append another error onto $_POST
            else array_push($_POST['errors'], $post_item_valid[1]);
            // If the value was passed back, then append
            if(isset($post_item_valid[2])) $_POST += [$key => $post_item_valid[2]];

          // If the data passed sanitization
          }else{
              // Append the item onto the post_data_array
              $post_data += [$key => $post_item_valid];
          }
        }
        // Unset $_POST global array
        unset($_POST);
        // Return the santized data
        return $post_data;
    }

}

?>

A very minimal index.php file here is included that requires the controller file. All the files specified can be put into the same directory and access the index.php file.

<?php

// Init sanitizer controller
require_once "sanitizer_controller.php";

?>

If you want to run some test data through this sanitizer, you can do that by modifying the sanitizer_controller.php as below, and download the sample test data.

Leave a comment Cancel reply