 |
|
|
Article Options |
|
Using the vBulletin Input Cleaner
by
22 Jun 2006
Rating:
 (27 votes
- 4.81 average) Note: This article assumes that you are familier with PHP, and will introduce you to input filtering using vBulletin Using the vBulletin Input Cleaner Class Introduction Most scripts will require data from a user at some point. When using this data, you should never assume that it is "clean" data. With XSS (Cross-Site Scripting) and SQL exploits being identified in scripts on a daily basis, you should do everything you can to ensure that all data coming from the user has been cleaned ("sanatized"). vBulletin provides us with the vB_Input_Cleaner class to do just this. The vBulletin Input Cleaner class is setup when the page loads, and can be accessed as $vbulletin->input, Data Types When you accept data from the user, you should know what type of data you are expecting to receive. the vBulletin Input Cleaner allows the following types of data to be cleaned:
Cleaning Functions The input cleaner class provides a number of useful functions that we can use to clean our data, depending on what data you wish to clean. Cleaning Superglobal Arrays By Superglobal, I mean $_POST, $_GET, $_REQUEST and so on. These arrays are created automaticly by PHP and contain the user-sent input. They are referenced in the vBulletin Input Cleaner by nice short single letter names. These are:
Example:
As you can see from this example, clean_array_gpc() takes 2 paramaters. The first paramater specifies which Superglobal array you wish to clean, and the second is an array of variables and their types. So, in the example above, we are telling clean_array_gpc() that we wish to clean the $_POST array, and that $_POST contains 3 variables, 'name', 'age', and 'usepm', and that we wish to clean them as TYPE_NOHTML, TYPE_UINT and TYPE_BOOL respectivly. Once cleaned, the new (clean) variables will be available in the $vbulletin->GPC array. So, to follow on from our previous example, we would use something like:
Cleaning a Single Superglobal Variable If you have a single variable that you wish to clean, use the clean_gpc() function. This function allows you to specify a single variable in any of the Superglobal arrays, and it's type. Example:
In this example, the 'age' variable in the $_GET Superglobal array will be cleaned to make sure it is an unsigned integer. Cleaning a Single Variable If you wish to clean a single variable that is not in one of the Superglobal arrays, you should use the clean() function. Example:
From this example you can see that clean() takes 2 paramaters. The first is the variable that you wish to clean and the second is its type. Unlike the last 2 functions, clean() returns the variable directly. Cleaning an Array of Variables For times when you wish to clean an array of variables of mixed types, vBulletin provides the clean_array() function. The clean_array() function takes 2 paramaters. The first is the array to be cleaned, and the second is an array of variable names, and their types. This function works exactly the same as clean_array_gpc(), except instead of specifying which Superglobal array to clean, you specify your own array. Conclusion So, to sum up - always run all input from the user through the vBulletin Input Cleaner! As well as being a good coding practice, this will drasticly decrease the chances of someone exploiting your script using an XSS or SQL attack. Good luck using your new found knowledge of the vBulletin Input Cleaner class, and remember: If you get stuck, just ask! Knowledge sharing is what vBulletin.org is all about! (Note: If you want to reproduce this article anywhere, I have no objections, but I do request that you give me credit for writing it, and a PM letting me know would be appreciated  )
|
||||||||||||||||
|
Views: 15657
|
||||||||||||||||
| Comments |
|
#2
22 Jun 2006, 19:40
|
|||
|
|||
|
Another fine article. Good work.
__________________
Add a photo gallery to your forum and get noticed by your members. Find out how at the vBulletin Computer Help Forum. An informed rider makes their first destination the motorcycle forum at rider info. No members have liked this post.
|
|
#3
22 Jun 2006, 19:56
|
||||
|
||||
|
very nice. thanks dude
No members have liked this post.
|
|
#4
28 Jun 2006, 21:49
|
||||
|
||||
|
Thanks Alan, i have been trying to use the cleaners as opposed to $_GET, $_POST, etc... this should help me well.
__________________
Please feel free to PM me about custom work, installations, and upgrades! Eclipse Records - Streetcult Street Team No members have liked this post.
Last edited by Antivirus : 17 Jul 2006 at 03:26.
|
|
#5
17 Jul 2006, 04:10
|
|||
|
|||
|
Error in variable
This is great. One question for a novice hack. How do we know there as something wrong? If I wanted a number and the user input a letter how would I know there was an error?
Do I need to further determine the cleaned variable is a number? Mark No members have liked this post.
|
|
#6
17 Jul 2006, 16:53
|
|||
|
|||
|
You'd use
if(!is_numeric($vbulletin->GPC['age'])) No members have liked this post.
|
|
#7
17 Jul 2006, 17:11
|
||||
|
||||
|
For reference, when checking numbers, if vBulletin doesn't find a number, it will return 0 instead. (when using TYPE_INT or TYPE_UINT)
The types and what it will return if it can't find what you are asking for is below:
Thanks, Alan.
__________________
IMPORTANT: I'm afraid that I no longer develop software / modifications for vBulletin. However, thank you to everyone who installed / supported my modifications! No members have liked this post.
|
||||
|
#8
18 Jul 2006, 03:13
|
|||
|
|||
|
Thanks for the information. So I'm thinking I need to check the variables even before it posts with javascript or with php.
No members have liked this post.
|
|
#9
19 Jul 2006, 08:19
|
||||
|
||||
|
You can always do:
If the value of 0 isn't a possibility. No members have liked this post.
|
||||
|
#10
08 Nov 2006, 14:57
|
||||
|
||||
|
how would you go about cleaning $_SESSION arrays? I have been cleaning the vars before placing them into $_SESSION but I wonder if there's some way to clean the $_SESSION afterwards.?
__________________
Please feel free to PM me about custom work, installations, and upgrades! Eclipse Records - Streetcult Street Team No members have liked this post.
Last edited by Antivirus : 15 Nov 2006 at 21:39.
|
|
#11
22 Jan 2007, 04:44
|
||||
|
||||
|
Ohhh just what I was looking for.
Thanks Alan, its all clear now  No members have liked this post.
|
|
#12
14 Feb 2007, 15:33
|
|||
|
|||
|
Is there anyway I can use this class for an external script?
How would I approach that? chad No members have liked this post.
|
|
#13
24 Feb 2007, 15:53
|
||||
|
||||
|
Does this work on vB 3.0.x?
I can't seem to get it working. 
__________________
No members have liked this post.
|
|
#14
07 Apr 2007, 07:54
|
||||
|
||||
|
Thank you so much for the great useful info, but I need to ask the TYPE_NOHTML does get rid of the <script> entry?
No members have liked this post.
|
|
#15
23 Apr 2007, 21:45
|
||||||||||||
|
||||||||||||
|
Does this still work?
I put this..
And when I pass
I get a mysql error
__________________
HizzleBall No members have liked this post.
|
||||||||||||
|
«
Previous Article
|
Next Article
»
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) |
| Article Options | |
|
|
| New To Site? | Need Help? |
All times are GMT. The time now is 02:16.