0
\$\begingroup\$

I created a function that filters data and I want to know if it's fully secure to filter user input data.

function user_input_data($data,$options) {
 $output = null;
 $error_msg = "";
 $check_length = false;
 $options_fetch = array(
 @$length_max = $options["length_max"],
 @$length_min = $options["length_min"],
 $data_type = $options["data_type"],
 );
 if($length_min && $length_max) {
 $check_length = true;
 }
 if($data_type == "only_letters") {
 if (preg_match('/^[\p{Arabic}a-zA-Z]+\h?[\p{Arabic}a-zA-Z]*$/u', $data)) {
 $output = $data;
 }else{
 $output = false;
 }
 }
 if($data_type == "only_letters_numbers") {
 if (preg_match('/^[\p{Arabic}a-zA-Z0-9]+\h?[\p{Arabic}a-zA-Z0-9]*$/u', $data)) { 
 $output = $data; 
 }else{
 $output = false;
 }
 } 
 if($data_type == "string") {
 $output = htmlspecialchars($data,ENT_QUOTES,"UTF-8",true);
 }
 if($data_type == "text") {
 $output = strip_tags($data);
 }
 if($data_type == "integer") {
 if(filter_var($data,FILTER_VALIDATE_INT)) {
 $output = $data;
 }
 }
 if($data_type == "float") {
 if(filter_var($data,FILTER_VALIDATE_FLOAT)) {
 $output = $data;
 }
 }
 if($data_type == "boolean") {
 if(filter_var($data,FILTER_VALIDATE_BOOLEAN)) {
 $output = $data;
 }
 }
 if($data_type == "email") {
 if(filter_var($data,FILTER_VALIDATE_EMAIL)) {
 $output = $data;
 }
 }
 if($data_type == "url") {
 if(filter_var($data,FILTER_VALIDATE_URL)) {
 $output = $data;
 }
 }
 if($data_type == "ip") {
 if(filter_var($data,FILTER_VALIDATE_IP)) {
 $output = $data;
 }
 }
 if($data_type == "array") {
 if(is_array($data)) {
 $data = array_map("htmlspecialchars",$data);
 $output = $data;
 }
 }
 if($data_type == "file_directory") {
 if(file_exists($data)) {
 $output = basename($data);
 }
 }
 if($output) {
 if($check_length) {
 if( ( ( mb_strlen($output) >= $length_min ) && ( mb_strlen($output) <= $length_max ) ) === false) {
 $output = false;
 }
 }
 return $output;
 }
}
// call function 
$password = user_input_data(
 $_POST["password"],
 array(
 "length_min" => 8, "length_max" => 24 ,"data_type" => "string"
 )
);
Jamal
35.2k13 gold badges134 silver badges238 bronze badges
asked Feb 15, 2018 at 19:28
\$\endgroup\$
4
  • \$\begingroup\$ Frankly, this function has very little to do with security and by no means should be relied upon. \$\endgroup\$ Commented Feb 16, 2018 at 7:48
  • \$\begingroup\$ @YourCommonSense I created this function for filter user input data only. In my question I ask if it is completely safe in filtering user input data just no less and no more. \$\endgroup\$ Commented Feb 16, 2018 at 14:09
  • \$\begingroup\$ Nope, it is not safe \$\endgroup\$ Commented Feb 16, 2018 at 14:49
  • \$\begingroup\$ @YourCommonSense thank you. but really I don't way if I want to know if user input just contain letters I call function like this $var = user_input_data($POST['var'],array("data_type" => "only_letters")) so if user input data contain numbers or characters it return false \$\endgroup\$ Commented Feb 16, 2018 at 14:54

1 Answer 1

1
\$\begingroup\$

I suggest you should use a configuration array like this:

 $config = [
 ip => FILTER_VALIDATE_IP,
 email=> FILTER_VALIDATE_EMAIL
 ]

and simplify the code like this:

if(in_array($config, $data_type)) {
 if($filter_VAR($data, $config[$data_type]) {
 $output = $data;
 }
}

  1. In your code, length is checked only if both min and max are set. Is it the expected behavior? In some cases, only min or max checks are required.

  2. Generally, you should avoid repeating code, in favor of calling functions. This makes it more readable. Plus, you can create test cases for small functions with predictable results, rather that a big complicated thing.

  3. With security I have no idea what this function is designed to protect against.

answered Feb 16, 2018 at 12:49
\$\endgroup\$
4
  • \$\begingroup\$ thank you so much for your answer. I think all of you understood me wrong. I designed this function for only filter user input data to avoid repeating. and I ask if it's good and I think they need some Improvements \$\endgroup\$ Commented Feb 16, 2018 at 14:16
  • \$\begingroup\$ @MouradKaroudi there you are. I suggested 3 areas where you can improve your code. Still, it is unclear what did you want to achieve in security area. \$\endgroup\$ Commented Feb 16, 2018 at 17:32
  • \$\begingroup\$ thank you so much for your reply and your time. I use this function in my website to filter form inputs data like a Register form had input called full_name so I want this input accept only letters english and arabic so I use this function to do that for me. what I want is to know if this function good to filter user input and secure my forms data \$\endgroup\$ Commented Feb 16, 2018 at 19:12
  • \$\begingroup\$ and look to my question I wrote ** it's fully secure to filter user input ** \$\endgroup\$ Commented Feb 16, 2018 at 19:14

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.