PHP: how to massively replace $ _POST [...] with strip_tags ($ _ POST [...])

Question

PHP: how to massively replace $ _POST [...] with strip_tags ($ _ POST [...])

I am currently recovering from an unpleasant XSS attack and understand that I have never processed multiple forms on my site. I used the Notepad ++ Find In Files function to search $_POSTall my PHP files and got almost 5,000 results. Now I really don't want to go and manually add strip_tagsto each of these results, but replacing everything will not do the trick ... and I'm a complete noob when it comes to things like regular expressions.

Is there a way to make this a little less tiring?

+5

input php forms sanitize strip-tags

Mike turley Aug 25 '10 at 4:35

source share

5 answers

matpie · Answer 1 · 2010-08-25T04:59:55+0000

array_map().

$Clean = array_map('strip_tags', $_POST);

$_POST:

$_POST = array_map('strip_tags', $_POST);

, $_POST $Clean .

Jacob Relkin · Answer 2 · 2010-08-25T04:46:54+0000

, , array_walk_recursive :

function custom_strip(&$val, $index) {
   $val = strip_tags($val);
}
array_walk_recursive($_POST, 'custom_strip');

w00d · Answer 3 · 2010-08-25T04:45:24+0000

(, safe.php)

foreach ($_POST as $key => $value) {
  $_POST[$key] = is_array($key) ? $_POST[$key]: strip_tags($_POST[$key]);
}

require_once("safe.php"); php ( , php )
.. .

shamittomar · Answer 4 · 2010-08-25T04:51:13+0000

. , :

function mystriptag(&$item)
{
    $item = strip_tags($item);
}

array_walk($_POST, mystriptag);

Tgr · Answer 5 · 2010-08-25T05:48:23+0000

array_map strip_tags $_POST, :

function post_data($name) {
    global $post_cache;
    if (in_array($name, $post_cache)) {
        return $post_cache[$name];
    }
    $val = $_POST[$name];
    if (is_string($val)) {
        $val = strip_tags($val);
    } else if (is_array($val)) {
        $val = array_map('strip_tags', $val);
    }
    $post_cache[$name] = $val;
    return $val;
}

(, , , $_POST['foo'] - foo, , ), $_POST , $_POST (unescape, ) , POST, , , POST, HTML-. , , .

In addition, it is better to sanitize the output, rather than the input. For different purposes, different methods will be required, for example, if you use

<div class="user_photo">
   <img src="<?php echo photo_path($user_id) ?>" alt="<?php echo $user_name ?>" />
</div>

it $user_nameis an XSS attack vector, but strip_tagsdoes not help at all; you will need htmlspecialchars . If user data is used as a URL, you need another way to protect against javascript:URLs, etc.

PHP: how to massively replace $ _POST [...] with strip_tags ($ _ POST [...])

More articles: