Are These OK For Cleaning/Checking Forms UK?

General discussions related to php

Moderators: macek, egami, gesf

WOWDesigns
New php-forum User
New php-forum User
Posts: 7
Joined: Tue Sep 20, 2011 6:04 am

Are These OK For Cleaning/Checking Forms UK?

Postby WOWDesigns » Mon Jun 23, 2014 4:58 am

Hi

I want to ask the general community if the functions below are good for preventing MySQL injections and for checking and cleaning posted form data. I'm creating them to verify contact details, titles and numbers in the UK.

Code: Select all

// SECURE FORM FUNCTIONS (PHP 5+) ///////////////////////////////////////////////////////////////////////////////////////////////////////////

// CHARCTER SET  +++++++++++++++++++++++
mysql_set_charset('utf8', $dbc);

// TEXTAREA string cleaning function (using TinyMCE or CKEditor) +++++++++++++++++++++++
function textarea_var($textarea_variable) {
   $textarea_variable = mysql_real_escape_string(trim($textarea_variable));
   return stripslashes($textarea_variable);
}

// GENERIC string cleaning function +++++++++++++++++++++++
function generic_var($generic_variable) {
   $generic_variable = mysql_real_escape_string(trim(htmlspecialchars($generic_variable, ENT_QUOTES)));
   return stripslashes($generic_variable);
}

// TITLE string cleaning function +++++++++++++++++++++++
function title_var($title_variable) {
   $title_variable = mysql_real_escape_string(ucwords(strtolower(trim(htmlspecialchars($title_variable, ENT_QUOTES)))));
   return stripslashes($title_variable);
}

// BUSINESS string cleaning function +++++++++++++++++++++++
function bus_var($bus_variable) {
   $bus_clean = mysql_real_escape_string(ucwords(strtolower(trim(htmlspecialchars($bus_variable, ENT_QUOTES)))));
   $limited_array = array("Ltd", "Limited");
   $bus_variable = str_replace($limited_array, 'Ltd.', $bus_clean);
   return stripslashes($bus_variable);
}

// City string cleaning function +++++++++++++++++++++++
function city_var($city_variable) {
   $city_variable = mysql_real_escape_string(ucwords(strtolower(trim(htmlspecialchars($city_variable, ENT_QUOTES)))));
   $city_variable = implode('-', array_map('ucfirst', explode('-', $city_variable)));
   $words_array = array("Upon", "-Next", "-Super", "-Over", "By", "The", "With", "Of",  "On",  "In", "-De", "-La", "-Le", "And", "St", "Saint");
   $accepted_array    = array("upon", "-next", "-super", "-over", "by", "the", "with", "of", "on", "in", "-de", "-la", "-le", "&", "St.", "St.");
   $city_variable = str_replace($words_array, $accepted_array, $city_variable);
   return stripslashes($city_variable);
}

// URL string cleaning function, http version +++++++++++++++++++++++
function url_var_http($http_variable) {
   $lc_link = mysql_real_escape_string(strtolower(trim(filter_var($http_variable, FILTER_SANITIZE_URL))));
   $ps_link = parse_url($lc_link);
   $www_link    = strpos($lc_link,'www.');
   if ($www_link === true) {
      $lc_link = $lc_link;
   } elseif ($www_link === false) {
      $lc_link = 'www.'.$ps_link['host'].$ps_link['path'].$ps_link['query'];
   }
   if (!preg_match("~^(?:f|ht)tps?://~i", $lc_link)) {
      $http_variable = "http://".$lc_link;
   }
   return stripslashes($http_variable);
}

// URL string cleaning function, www version +++++++++++++++++++++++
function url_var_www($www_variable) {
   $lc_link = mysql_real_escape_string(strtolower(trim(filter_var($www_variable, FILTER_SANITIZE_URL))));
   $http_array = array("https://", "http://", "https:/", "http:/", "https:", "http:", "https", "http");
   foreach($http_array as $d) {
      if (strpos($lc_link, $d) === 0) {
         $clean_http = str_replace($d, '', $lc_link);
         if (strpos($clean_http, 'www.') === 0) {
            $www_variable = $clean_http;
            return $www_variable;
         } elseif (strpos($clean_http,'www.') === false) {
            $www_variable = "www.".$clean_http;
            return stripslashes($www_variable);
         }
      }
   }
}

// EMAIL string cleaning function +++++++++++++++++++++++
// RUN this and then pass the result through the check function
function email_var($cl_email) {
   $san_email = mysql_real_escape_string(strtolower(trim(filter_var($cl_email, FILTER_SANITIZE_EMAIL))));
   $cl_email = preg_replace('/\s+/', '', $san_email);
   return stripslashes($cl_email);
}

// EMAIL check function +++++++++++++++++++++++
// Based on Chris Baker's answer on Stack Overflow:
// http://stackoverflow.com/questions/6232846/best-email-validation-function-in-general-and-specific-college-domain
function email_check($email) {
   
   // first, we use the php filter validation
   if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
      return false;
   }
   // next, we check that there's one @ symbol, and that the lengths are right
   if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $email)) {
      // Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
      return false;
   }
   // Split it into sections to make life easier
   $email_array = explode("@", $email);
   $local_array = explode(".", $email_array[0]);
   for ($i = 0; $i < sizeof($local_array); $i++) {
      if (!preg_match("/^(([A-Za-z0-9!#$%&'*+\/=?^_`{|}~-][A-Za-z0-9!#$%&'*+\/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$/", $local_array[$i])) {
         return false;
      }
   }
   if (!preg_match("/^\[?[0-9\.]+\]?$/", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
      $domain_array = explode(".", $email_array[1]);
      if (sizeof($domain_array) < 2) {
         return false; // Not enough parts to domain
      }
      for ($i = 0; $i < sizeof($domain_array); $i++) {
         if (!preg_match("/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$/", $domain_array[$i])) {
            return false;
         }
      }
   }
   return true;
}

// TELEPHONE string cleaning function and format +44 +++++++++++++++++++++++
// UK version ONLY (based on this guide http://www.area-codes.org.uk/formatting.php)
function tel_var ($number) {
   // first remove All white spaces and escape the string
   $number = stripslashes(mysql_real_escape_string(trim($number)));
    // http://james.cridland.net/code/format_uk_phonenumbers.html
    // v2: worked on by Olly Benson to make it look better and work faster!
    // v2.1: removal of a bugette
    // v2.2: fix Cumbria numbers: thank you Roger Miller
    // Change the international number format and remove any non-number character
    $number = preg_replace( '[^0-9]','',str_replace("+", "00", $number));
    $search = array ('0044', '44', "(", ")");
    $number = str_replace($search, "", $number);
    // Turn number into array based on Telephone Format
    $numberArray = splitNumber($number,explode(",",getTelephoneFormat($number)));
    // Convert array back into string, split by spaces
    $formattedNumber = implode(" ",$numberArray);
    return $formattedNumber;
}

function getTelephoneFormat($number) {
    // This uses full codes from http://www.area-codes.org.uk/formatting.shtml
    $telephoneFormat = array (
        '02' => "3,4,4",
        '03' => "4,3,4",
        '05' => "3,4,4",
        '0500' => "4,6",
        '07' => "5,6",
        '070' => "3,4,4",
        '076' => "3,4,4",
        '07624' => "5,6",
        '08' => "4,3,4", // some 0800 numbers are 4,6
        '09' => "4,3,4",
        '01' => "5,6", // some 01 numbers are 5,5
        '011' => "4,3,4",
        '0121' => "4,3,4",
        '0131' => "4,3,4",
        '0141' => "4,3,4",
        '0151' => "4,3,4",
        '0161' => "4,3,4",
        '0191' => "4,3,4",
        '013873' => "6,5",
        '015242' => "6,5",
        '015394' => "6,5",
        '015395' => "6,5",
        '015396' => "6,5",
        '016973' => "6,5",
        '016974' => "6,5",
        '016977' => "6,5",
        '0169772' => "6,4",
        '0169773' => "6,4",
        '017683' => "6,5",
        '017684' => "6,5",
        '017687' => "6,5",
        '019467' => "6,5");
   // Sorts into longest key first
   uksort($telephoneFormat, "sortStrLen");
   foreach ($telephoneFormat AS $key=>$value) {
      if (substr($number,0,strlen($key)) == $key) break;
   };
   return $value;
}

function splitNumber($number,$split) {
   $start=0;
   $array = array();
   foreach($split AS $value) {
      $array[] = substr($number,$start,$value);
      $start = $start+$value;
   }
   return $array;
}

function sortStrLen($a, $b) {
   return strlen($b)-strlen($a);
}


I'm still on MySQL 5 and I know some it will need to be converted to MySQLI at some point. So any help with doing that too?

Will be useful to add these functions to all my clients config files, ready to run anywhere in the website.

What do you think? Are they over complicated? Can they be simplified? Will they do the job of securing the posted form data?

Cheers
G

Return to “PHP General”

Who is online

Users browsing this forum: No registered users and 1 guest