sanitize.inc
4.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?php
/**
* $Id$
*
* This page is meant to provide functions to prevent XSS cracks.
*
* KnowledgeTree Community Edition
* Document Management Made Simple
* Copyright (C) 2008 KnowledgeTree Inc.
* Portions copyright The Jam Warehouse Software (Pty) Limited
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License version 3 as published by the
* Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* You can contact KnowledgeTree Inc., PO Box 7775 #87847, San Francisco,
* California 94120-7775, or email info@knowledgetree.com.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU General Public License version 3.
*
* In accordance with Section 7(b) of the GNU General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "Powered by
* KnowledgeTree" logo and retain the original copyright notice. If the display of the
* logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
* must display the words "Powered by KnowledgeTree" and retain the original
* copyright notice.
* Contributor( s): ______________________________________
*/
/**
* Accepts a web encoded string and outputs a "clean" string.
*/
function sanitize($string) {
// This should be set if you've read the INSTALL instructions.
// Better to be safe though.
if (get_magic_quotes_gpc()) {
$string = strip_tags(urldecode(trim($string)));
} else {
$string = addslashes(strip_tags(urldecode(trim($string))));
}
// This might be a little too aggressive
//$pattern = "([^[:alpha:]|^_\.\ \:-])";
// Allow numeric characters
$pattern = "([^[:alnum:]|^_\.\ \:-])";
return ereg_replace($pattern, '', $string);
}
function sanitizeForSQL($string, $min='', $max='') {
$string = trim($string);
if(get_magic_quotes_gpc()) $string = stripslashes($string);
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max))) return false;
if(function_exists("mysql_real_escape_string")) {
return mysql_real_escape_string($string);
} else {
return addslashes($string);
}
}
function sanitizeForSQLtoHTML($string, $min='', $max='')
{
$string = str_replace(array("\r","\n"), array('',''), $string);
return $string;
}
function sanitizeForHTML($string, $min='', $max='')
{
$string = trim($string);
if(get_magic_quotes_gpc()) $string = stripslashes($string);
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max))) return false;
if(function_exists("htmlspecialchars")) {
return htmlspecialchars($string);
} else {
$pattern[0] = '/\&/';
$pattern[1] = '/</';
$pattern[2] = "/>/";
$pattern[3] = '/\n/';
$pattern[4] = '/"/';
$pattern[5] = "/'/";
$pattern[6] = "/%/";
$pattern[7] = '/\( /';
$pattern[8] = '/\)/';
$pattern[9] = '/\+/';
$pattern[10] = '/-/';
$replacement[0] = '&';
$replacement[1] = '<';
$replacement[2] = '>';
$replacement[3] = '<br>';
$replacement[4] = '"';
$replacement[5] = ''';
$replacement[6] = '%';
$replacement[7] = '(';
$replacement[8] = ')';
$replacement[9] = '+';
$replacement[10] = '-';
return preg_replace( $pattern, $replacement, $string);
}
}
function sanitizeForSYSTEM($string, $min='', $max='')
{
$string = trim($string);
if(get_magic_quotes_gpc()) $string = stripslashes($string);
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max))) return false;
$pattern = '/( ;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\( )/i';
$string = preg_replace( $pattern, '', $string);
return '"'.preg_replace( '/\$/', '\\\$', $string).'"';
}
?>