Login   Register  
PHP Classes
elePHPant
Icontem

File: README.txt

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us
  Classes of Nilesh Dosooye  >  requestUtils  >  README.txt  >  Download  
File: README.txt
Role: Documentation
Content type: text/plain
Description: Documentation and Class Usage
Class: requestUtils
Retrieve and sanitize user submitted request data
Author: By
Last change:
Date: 10 years ago
Size: 3,231 bytes
 

Contents

Class file image Download
This class is used througout the PCG Framework to get all data from Form. 

Code Generated from phpCodeGenie (PCG) automatically uses the RequestUtils
to get all user Data from form.

For more information, check the phpCodeGenie webpage on Sourceforge 

http://phpcodegenie.sourceforge.net/

Extract taken from the PCG Framework OverView Manual about Request Utils

Dealing with User Input using requestUtils

User input in a web application is done via HTML forms. 

PHP provides the $_POST, $_GET and $_REQUEST global variables to retrieve data from html forms 
directly.

Retrieving the data directly from these global variables could cause a security threat in your 
application though.

One can never trust user input. There can be malicious users trying to do Cross Site Scripting (XSS) 
or SQL injections hack by messing with the data. Therefore, one need to be parse the data and make
sure it is safe before passing it to your application. An example of an XSS attack would be :

e.g Let say you have a text field element, which you allow user to input data and then your display
the input data, the user could put something like

  <script> (for ;;) { alert(‘hacked’); </script> 
  
in the input text and on displaying the input data, your page would go in a infinite loop asking
the user to press on a javascript alert box forever.


Another common problem with user input is magic_quotes is turned on or off. 
When magic_quotes is turned on in your php, some characters are automatically escaped. 
While you might have it enabled on your server, you are not sure that all servers you 
are going to deploy your application to, will have the same settings. So you need to 
make sure that, you check for whether its enabled or not on the server that your application
runs on and escape your user data accordingly. It would be a big hassle to check for 
whether magic quotes is on or off each time you get a a user input. 

PCG solves these two above problems by using the requestUtils class to get form elements. 
By using a separate class to do the form retrieval, it puts that action in one central place
and easy to change. So in that class, you can add whatever sanity check you need to make. 
Currently, the requestUtils::getRequestObject($elementName) method ltrim and rtrim your input 
data, strip the html tags (this setting is configurable in applicationConstants.inc.php, 
by setting the ALLOW_HTML_TAGS_IN_POST_GET_REQUESTS constant to true or false) and if 
magic_quotes is not enabled, addslashes to the data before returning to the client.
 
 
Usage example

Let’s say you have a form

HTML FORM
<FORM NAME=”nileshForm” METHOD=”POST” ACTION=”test.php”>
UserInput : <input type=”text” name=”userInput” value=””>
</FORM>

Instead of using <? $thisUserInput = $_POST[‘userInput’]; ?> to get that form element, we will use the code below. It will perform the same action as using the $_POST, but it will also do sanity check on the data input by user. You can add your own additional sanity checks to the getRequestObject method if you need to in one central place.

PHP SCRIPT
<?
	$thisUserInput = requestUtils::getRequestObject('userInput');
?>