• Sanitizing variables to avoid xss cross site scripting using php

    Once of the biggest considerations when hosting a website is security, this applies to both hosting your own website and also hosting your web site with a hosting company.

    One of the biggest headaches for companies is XSS (or Cross Site Scripting) which involves hackers injecting malicious code into form inputs and file uploads.

    One of the ways of doing this is encode and escape all your variables before they are sent to your database layer.

    Recently I have written a function that streamlines and handles all this processing for the developer.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212
    213
    214
    215
    216
    217
    218
    219
    220
    221
    222
    223
    224
    225
    226
    227
    228
    229
    230
    231
    232
    233
    234
    235
    236
    237
    238
    239
    240
    241
    242
    243
    244
    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    256
    257
    258
    259
    260
    261
    262
    263
    264
    265
    266
    267
    268
    269
    270
    271
    272
    273
    274
    275
    276
    277
    278
    279
    280
    281
    282
    283
    284
    285
    286
    287
    288
    289
    290
    291
    292
    293
    294
    295
    296
    297
    298
    299
    300
    301
    302
    303
    304
    305
    306
    
    /**
     * ValidateVariable()
     *
     * method retrieve and sanatize variable requests
     *
     * @author                    Neil Young neil.young@neilyoungcv.com
     *
     * EXAMPLE USAGE:
     *
     * $customerId = ValidateVariable('my_variable', 'int', 'request');
     *
     * @param string                $index
     * @param int                    $type
     * @param string                $gpcs
     */
     
    function ValidateVariable($index, $type = 'int' , $gpcs = 'request')
    {
        //convert the type identifier to uppercase
        $type = strtoupper($type);
        //get the default value
        $value = ($type === 'INT' || $type === 'BOOLEAN') ? 0 : '';    //    default if nothing set
        //GPCS - (Get, Post, Cookie, Server)
        //check if we are looking for a files object otherwise uppercase gpcs
        $gpcs = ($type == 'FILES') ? "FILES" : strtoupper($gpcs);
        //determine which gpcs we are running
        switch($gpcs)
        {
            //GET
            case 'GET':
                //determine if the GCPS is set with the appropriate index
                if(isset($_GET[$index]))
                {
                    //determine the value type
                    switch($type)
                    {
                        //integer
                        case 'INT':
                            //get the value of the integer, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (int) htmlentities($_GET[$index], ENT_QUOTES);
                            break;
                        case 'BOOLEAN':
                            //get the value of the boolean, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (htmlentities($_GET[$index], ENT_QUOTES)) ? 1 : 0;
                            break;
                        case 'STRING':
                            //get the value of the string, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (string) htmlentities($_GET[$index], ENT_QUOTES);
                            //trim the string
                            $value = trim($value);
                            break;
                    }
     
                }
     
                break;
            //POST
            case 'POST':
                //determine if the GCPS is set with the appropriate index
                if(isset($_POST[$index]))
                {
                    //determine the value type
                    switch($type)
                    {
                        //integer
                        case 'INT':
                            //get the value of the integer, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (int) htmlentities($_POST[$index], ENT_QUOTES);
                            break;
                        case 'BOOLEAN':
                            //get the value of the boolean, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (htmlentities($_POST[$index], ENT_QUOTES)) ? 1 : 0;
                            break;
                        case 'STRING':
                            //get the value of the string, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (string) htmlentities($_POST[$index], ENT_QUOTES);
                            //trim the string
                            $value = trim($value);
                            break;
                    }
     
                }
                break;
            //REQUEST
            case 'REQUEST':
                //determine if the GCPS is set with the appropriate index
                if(isset($_REQUEST[$index]))
                {
                    //determine the value type
                    switch($type)
                    {
                        //integer
                        case 'INT':
                            //get the value of the integer, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (int) htmlentities($_REQUEST[$index], ENT_QUOTES);
                            break;
                        case 'BOOLEAN':
                            //get the value of the boolean, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (htmlentities($_REQUEST[$index], ENT_QUOTES)) ? 1 : 0;
                            break;
                        case 'STRING':
                            //get the value of the string, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (string) htmlentities($_REQUEST[$index], ENT_QUOTES);
                            //trim the string
                            $value = trim($value);
                            break;
                    }
     
                }
                break;
            //COOKIE
            case 'COOKIE':
                //determine if the GCPS is set with the appropriate index
                if(isset($_COOKIE[$index]))
                {
                    //determine the value type
                    switch($type)
                    {
                        //integer
                        case 'INT':
                            //get the value of the integer, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (int) htmlentities($_COOKIE[$index], ENT_QUOTES);
                            break;
                        case 'BOOLEAN':
                            //get the value of the boolean, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (htmlentities($_COOKIE[$index], ENT_QUOTES)) ? 1 : 0;
                            break;
                        case 'STRING':
                            //get the value of the string, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (string) htmlentities($_COOKIE[$index], ENT_QUOTES);
                            //trim the string
                            $value = trim($value);
                            break;
                    }
     
                }
                break;
            //SERVER
            case 'SERVER':
                //determine if the GCPS is set with the appropriate index
                if(isset($_SERVER[$index]))
                {
                    //get the value of the server index
                    $value = $_SERVER[$index];
                }
                break;
            //SESSION
            case 'SESSION':
                //determine if the GCPS is set with the appropriate index
                if(isset($_SESSION[$index]))
                {
                    //determine the value type
                    switch($type)
                    {
                        //integer
                        case 'INT':
                            //get the value of the integer, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (int) htmlentities($_SESSION[$index], ENT_QUOTES);
                            break;
                        case 'BOOLEAN':
                            //get the value of the boolean, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (htmlentities($_SESSION[$index], ENT_QUOTES)) ? 1 : 0;
                            break;
                        case 'STRING':
                            //get the value of the string, making sure we escape to avoid
                            //any XSS (Cross Site Scripting) attacks
                            $value = (string) htmlentities($_SESSION[$index], ENT_QUOTES);
                            //trim the string
                            $value = trim($value);
                            break;
                    }
     
                }
                break;
            //FILES
            case 'FILES':
                //check to see if the $_FILES array is set.
                if(isset($_FILES[$index]))
                {
                    //check that the user has provided a maximum file size
                    if (!isset($_REQUEST['MAX_FILE_SIZE']))
                    {
                        //return false as we cannot check the size of the file
                        throw new Exception("Please specify a MAX_FILE_SIZE for your upload form");   
     
                    }
                    //check that the user has provided a maximum file size
                    if (!isset($_REQUEST['ALLOWED_FILE_TYPES']))
                    {
                        //return false as we cannot check the size of the file
                        throw new Exception("Please specify an ALLOWED_FILE_TYPES for your upload form");       
     
                    }
                    //get the maximum file size but sanitise the value
                    $maxFileSize = htmlentities($_REQUEST['MAX_FILE_SIZE'], ENT_QUOTES);
                    $allowedFileTypes = htmlentities($_REQUEST['ALLOWED_FILE_TYPES'], ENT_QUOTES);
                    //get the allowed file types
                    $validFileTypes = explode(',', $allowedFileTypes);
                    //we count how many files have been uploaded
                    $fileCount = count($_FILES[$index]['tmp_name']);
                    //if we only have one file
                    if ($fileCount == 1)
                    {
                        //first we determine if the file has been uploaded via http post
                        if (!is_uploaded_file($_FILES[$index]['tmp_name']))
                        {
                            //return false as file was not posted
                            throw new Exception("A valid file upload was not found");   
     
                        }
                        //next we check that the size is what we are expecting
                        else if ($_FILES[$index]['size'] >= $maxFileSize)
                        {
                            //return false as there is a file that is greater than the maximum size
                            throw new Exception("The size of your file exceeds the maximum file size of " . round($_FILES[$index]['size'] / $maxFileSize, 2) . " MB");
     
                        }
                        //file does not exist
                        else if (!file_exists($_FILES[$index]['tmp_name']))
                        {
                            //the file does not exist so cannot be referenced
                            throw new Exception("A file was not found on upload");
     
                        }
                        else if (!in_array($_FILES[$index]['type'], $validFileTypes))
                        {
                            //the file does not exist so cannot be referenced
                            throw new Exception("An invalid file type was found, valid file types are " . implode(", ", $validFileTypes));
     
                        }
                        else if($_FILES[$index]['error'] != UPLOAD_ERR_OK)
                        {
                            //there was a problem uploading the image
                            throw new Exception("There was an error whilst uploading your file");   
     
                        }
     
                    }
                    else
                    {
                        //initialise counter
                        //loop through each file
                        for($i = 0; $i <= ($fileCount-1); $i++)
                        {
     
                            //first we determine if the file has been uploaded via http post
                            if (!is_uploaded_file($_FILES[$index]['tmp_name'][$i]))
                            {
                                //return false as file was not posted
                                throw new Exception("A valid file upload was not found");   
     
                            }
     
                            //next we check that the size is what we are expecting
                            if ((int)$_FILES[$index]['size'][$i] > (int)$maxFileSize)
                            {
                                //return false as there is a file that is greater than the maximum size
                                throw new Exception("The size of your file exceeds the maximum file size of " . round($_FILES[$index]['size'] / $maxFileSize, 2) . " MB");
     
                            }
                            else if (!file_exists($_FILES[$index]['tmp_name'][$i]))
                            {
                                //the file does not exist so cannot be referenced
                                throw new Exception("A file was not found on upload");
     
                            }
                            else if (!in_array($_FILES[$index]['type'][$i], $validFileTypes))
                            {
                                //the file does not exist so cannot be referenced
                                throw new Exception("An invalid file type was found, valid file types are " . implode(", ", $validFileTypes));
     
                            }
                            else if($_FILES[$index]['error'][$i] != UPLOAD_ERR_OK)
                            {
                                //there was a problem uploading the image
                                throw new Exception("There was an error whilst uploading your file");   
     
                            }
     
                        }
     
                    }
     
                    //files have been posted and are not larger than the maximum file size
                    return $_FILES;   
     
                }
                break;
            }
            //return the sanitized value
            return $value;
    }

Comments on this post

Leave a Reply

  • Security Code :


    five + = 13