Tema: es correcto hacer este tipo de limpieza??
Ver Mensaje Individual
  #6 (permalink)  
Antiguo 21/10/2011, 08:58
Avatar de timoteo666
timoteo666
 
Fecha de Ingreso: agosto-2011
Ubicación: /home/Gdl
Mensajes: 242
Antigüedad: 13 años, 5 meses
Puntos: 11
Respuesta: es correcto hacer este tipo de limpieza??
Excelente recurso muchas gracias

Cita:
Iniciado por marcofbb Ver Mensaje
Yo lo que hago es automaticamente sacarle a todos los $_POST y demas variables. Como lo hace smf.

Te dejo el codigo:
Código PHP: 
Ver original
  1. <?php
  2. /**********************************************************************************
  3. * QueryString.php                                                                 *
  4. ***********************************************************************************/
  5.  
  6. // Clean the request variables - add html entities to GET and slashes if magic_quotes_gpc is Off.
  7. function cleanRequest()
  8. {
  9.     //global $board, $topic, $boardurl, $scripturl, $modSettings, $smcFunc;
  10.     global $msCore;
  11.  
  12.     // Makes it easier to refer to things this way.
  13.     $scripturl = $msCore->settings['w_url'] . '/index.php';
  14.  
  15.     // What function to use to reverse magic quotes - if sybase is on we assume that the database sensibly has the right unescape function!
  16.     $removeMagicQuoteFunction = @ini_get('magic_quotes_sybase') || strtolower(@ini_get('magic_quotes_sybase')) == 'on' ? 'unescapestring__recursive' : 'stripslashes__recursive';
  17.  
  18.     // Save some memory.. (since we don't use these anyway.)
  19.     unset($GLOBALS['HTTP_POST_VARS'], $GLOBALS['HTTP_POST_VARS']);
  20.     unset($GLOBALS['HTTP_POST_FILES'], $GLOBALS['HTTP_POST_FILES']);
  21.  
  22.     // These keys shouldn't be set...ever.
  23.     if (isset($_REQUEST['GLOBALS']) || isset($_COOKIE['GLOBALS']))
  24.         die('Invalid request variable.');
  25.  
  26.     // Same goes for numeric keys.
  27.     foreach (array_merge(array_keys($_POST), array_keys($_GET), array_keys($_FILES)) as $key)
  28.         if (is_numeric($key))
  29.             die('Numeric request keys are invalid.');
  30.  
  31.     // Numeric keys in cookies are less of a problem. Just unset those.
  32.     foreach ($_COOKIE as $key => $value)
  33.         if (is_numeric($key))
  34.             unset($_COOKIE[$key]);
  35.  
  36.     // Get the correct query string.  It may be in an environment variable...
  37.     if (!isset($_SERVER['QUERY_STRING']))
  38.         $_SERVER['QUERY_STRING'] = getenv('QUERY_STRING');
  39.  
  40.     // It seems that sticking a URL after the query string is mighty common, well, it's evil - don't.
  41.     if (strpos($_SERVER['QUERY_STRING'], 'http') === 0)
  42.     {
  43.         header('HTTP/1.1 400 Bad Request');
  44.         die;
  45.     }
  46.  
  47.     // If magic quotes is on we have some work...
  48.     if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc() != 0)
  49.     {
  50.         $_ENV = $removeMagicQuoteFunction($_ENV);
  51.         $_POST = $removeMagicQuoteFunction($_POST);
  52.         $_COOKIE = $removeMagicQuoteFunction($_COOKIE);
  53.         foreach ($_FILES as $k => $dummy)
  54.             if (isset($_FILES[$k]['name']))
  55.                 $_FILES[$k]['name'] = $removeMagicQuoteFunction($_FILES[$k]['name']);
  56.     }
  57.  
  58.     // Add entities to GET.  This is kinda like the slashes on everything else.
  59.     $_GET = htmlspecialchars__recursive($_GET);
  60.     $_POST = htmlspecialchars__recursive($_POST);
  61.     $_COOKIE = htmlspecialchars__recursive($_COOKIE);
  62.  
  63.     // Let's not depend on the ini settings... why even have COOKIE in there, anyway?
  64.     $_REQUEST = $_POST + $_GET;
  65.  
  66. }
  67.  
  68. // Adds slashes to the array/variable.  Uses two underscores to guard against overloading.
  69. function escapestring__recursive($var)
  70. {
  71.     global $smcFunc;
  72.  
  73.     if (!is_array($var))
  74.         return addslashes($var);
  75.  
  76.     // Reindex the array with slashes.
  77.     $new_var = array();
  78.  
  79.     // Add slashes to every element, even the indexes!
  80.     foreach ($var as $k => $v)
  81.         $new_var[addslashes($k)] = escapestring__recursive($v);
  82.  
  83.     return $new_var;
  84. }
  85.  
  86. // Adds html entities to the array/variable.  Uses two underscores to guard against overloading.
  87. function htmlspecialchars__recursive($var, $level = 0)
  88. {
  89.  
  90.     if (!is_array($var))
  91.         return htmlspecialchars($var, ENT_QUOTES);
  92.  
  93.     // Add the htmlspecialchars to every element.
  94.     foreach ($var as $k => $v)
  95.         $var[$k] = $level > 25 ? null : htmlspecialchars__recursive($v, $level + 1);
  96.  
  97.     return $var;
  98. }
  99.  
  100. // Unescapes any array or variable.  Two underscores for the normal reason.
  101. function unescapestring__recursive($var)
  102. {
  103.  
  104.     if (!is_array($var))
  105.         return stripslashes($var);
  106.  
  107.     // Reindex the array without slashes, this time.
  108.     $new_var = array();
  109.  
  110.     // Strip the slashes from every element.
  111.     foreach ($var as $k => $v)
  112.         $new_var[stripslashes($k)] = unescapestring__recursive($v);
  113.  
  114.     return $new_var;
  115. }
  116.  
  117. // Remove slashes recursively...
  118. function stripslashes__recursive($var, $level = 0)
  119. {
  120.     if (!is_array($var))
  121.         return stripslashes($var);
  122.  
  123.     // Reindex the array without slashes, this time.
  124.     $new_var = array();
  125.  
  126.     // Strip the slashes from every element.
  127.     foreach ($var as $k => $v)
  128.         $new_var[stripslashes($k)] = $level > 25 ? null : stripslashes__recursive($v, $level + 1);
  129.  
  130.     return $new_var;
  131. }
  132.  
  133. ?>

Y para pasarlo a la base de datos le agrego mysql_escape_string


Saludos
__________________
( + ) lineas de código ( - ) televisión