PHP Classes

File: README.txt

Recommend this page to a friend!
  Classes of Nilesh Dosooye   requestUtils   README.txt   Download  
File: README.txt
Role: Documentation
Content type: text/plain
Description: Documentation and Class Usage
Class: requestUtils
Retrieve and sanitize user submitted request data
Author: By
Last change:
Date: 19 years ago
Size: 3,231 bytes


Class file image Download
This class is used througout the PCG Framework to get all data from Form. Code Generated from phpCodeGenie (PCG) automatically uses the RequestUtils to get all user Data from form. For more information, check the phpCodeGenie webpage on Sourceforge Extract taken from the PCG Framework OverView Manual about Request Utils Dealing with User Input using requestUtils User input in a web application is done via HTML forms. PHP provides the $_POST, $_GET and $_REQUEST global variables to retrieve data from html forms directly. Retrieving the data directly from these global variables could cause a security threat in your application though. One can never trust user input. There can be malicious users trying to do Cross Site Scripting (XSS) or SQL injections hack by messing with the data. Therefore, one need to be parse the data and make sure it is safe before passing it to your application. An example of an XSS attack would be : e.g Let say you have a text field element, which you allow user to input data and then your display the input data, the user could put something like <script> (for ;;) { alert(‘hacked’); </script> in the input text and on displaying the input data, your page would go in a infinite loop asking the user to press on a javascript alert box forever. Another common problem with user input is magic_quotes is turned on or off. When magic_quotes is turned on in your php, some characters are automatically escaped. While you might have it enabled on your server, you are not sure that all servers you are going to deploy your application to, will have the same settings. So you need to make sure that, you check for whether its enabled or not on the server that your application runs on and escape your user data accordingly. It would be a big hassle to check for whether magic quotes is on or off each time you get a a user input. PCG solves these two above problems by using the requestUtils class to get form elements. By using a separate class to do the form retrieval, it puts that action in one central place and easy to change. So in that class, you can add whatever sanity check you need to make. Currently, the requestUtils::getRequestObject($elementName) method ltrim and rtrim your input data, strip the html tags (this setting is configurable in, by setting the ALLOW_HTML_TAGS_IN_POST_GET_REQUESTS constant to true or false) and if magic_quotes is not enabled, addslashes to the data before returning to the client. Usage example Let’s say you have a form HTML FORM <FORM NAME=”nileshForm” METHOD=”POST” ACTION=”test.php”> UserInput : <input type=”text” name=”userInput” value=””> </FORM> Instead of using <? $thisUserInput = $_POST[‘userInput’]; ?> to get that form element, we will use the code below. It will perform the same action as using the $_POST, but it will also do sanity check on the data input by user. You can add your own additional sanity checks to the getRequestObject method if you need to in one central place. PHP SCRIPT <? $thisUserInput = requestUtils::getRequestObject('userInput'); ?>