관리-도구
편집 파일: class-sanitizer.php
<?php /******************************************************************* ********** Pinion Media :: Sanitizer Class ************** ********** Updated 080301 | Version 1.1 ************** ********** ************** ********************************************************************/ include_once("constants.php"); // needed to get the value of PHONE_FORMAT class sanitizer { function cleandata( $process_info, $hacker_xss=1, $hacker_all_tags=1, $spamer=1, $badword=1, $phone=1, $slashes=0 ){ // ( dataarray, cleanhackerxsscode, cleanoutalltags, cleanspamcode, cleanbadwords, cleanphone, slashes ) /* Although this sanitizer can accept all types of data and clean it for the specfic data to be cleaned appropriately the array of variables must match the following structure to be processes correctly for each. $process_info['country'] // Used for the Phone Formatting... If not US, United States, Canada, or CA then do not format $process_info['username'] $process_info['emailaddress'] $process_info['phone'] $process_info['phone2'] $process_info['fax'] $process_info['grandtotal'] $process_info['cc'] New Vars that will come out $process_info['strg_total'] // creates a total for viewing (exp: 45 -> 45.00) $process_info['stripped_total'] // creates a total for trust commerce (exp: 45 -> 4500) $process_info['cut_cc'] // Creates a last 4 of cc */ //Remove hacker XSS code from form if($hacker_xss){ if(is_array($process_info)){ foreach ($process_info as $id => $result){ $process_info["$id"] = $this->remove_xss($result); // Get rid of the xss hacker attempts } } } // End Hacker //Remove hacker all tag code from form if($hacker_all_tags){ if(is_array($process_info)){ foreach ($process_info as $id => $result){ $process_info["$id"] = strip_tags($result); // Clean values of any tag code } } } // End Hacker //Remove slashes from form (not recommended if the moving data to a database) if($slashes){ if(is_array($process_info)){ foreach ($process_info as $id => $result){ $process_info["$id"] = stripslashes($result); // Clean values of any slashes } } } // End slashes // Clean data from spamers (Jumps over emailaddress and username) if($spamer){ if(is_array($process_info)){ foreach ($process_info as $id => $result){ if ($id != "emailaddress" && $id != "username"){ if (strstr($result,'@') != "" && strstr($result,'.') != "") { $process_info["$id"] = ''; } } } } } // End Spamer // Clean bad words from data if($badword){ $process_info = $this->clean_badwords( $process_info ); //print "<pre>"; print_r($process_info); print "</pre>"; } // End Bad Words // Cleanup the price of non characters & create the price_strg formatted if(isset($process_info['price'])){ $process_info['price'] = ereg_replace("[^[:digit:]]", "", $process_info['price']); $process_info['price_strg'] = number_format($process_info['price']); } // Create total formated if(isset($process_info['grand_total'])){ $process_info['strg_total'] = number_format($process_info['grand_total'], 2); $process_info['stripped_total'] = str_replace (".", "", $process_info['strg_total']); } // Cleanup the CC of non characters & Create the cut cc if(isset($process_info['cc'])){ $process_info['cc'] = ereg_replace("[^[:digit:]]", "", $process_info['cc']); $process_info['cut_cc'] = substr_replace($process_info['cc'], '', 0, -4); } // Clean up Phone, phone2 and fax if($phone && CLEANPHONE){ if( !isset($process_info['country']) || ( ($process_info['country'] == 'United States') || ($process_info['country'] == 'US') || ($process_info['country'] == 'Canada') || ($process_info['country'] == 'CA') ) ){ // Remove stuff on Phone numbers '1-', '(', ')', '-', then format it and put back in array if(isset($process_info['phone'])){ $process_info['phone'] = $this->clean_phone($process_info['phone']); } if(isset($process_info['phone2'])){ // Clean up Phone2 $process_info['phone2'] = $this->clean_phone($process_info['phone2']); } if(isset($process_info['fax'])){ // Clean up fax $process_info['fax'] = $this->clean_phone($process_info['fax']); } }else{ // The number is international // There are just too many formatting issues with international // numbers and we're not able to get a consistant formatting to work. // So, don't process the phone for non US and CA } } // End Phone return $process_info; } // End Clean Data Function ------------------------------------------------------------- // -- PHONE CLEANING AND FORMATTING ------------------------------------------------------------- function clean_phone($phone){ // Must have PHONE_FORMAT from constant file to work correctly if (PHONE_FORMAT == '') { return $phone; } if ($phone == ''){ return $phone; } if(substr($phone, 0, 1) == '1'){ $phone = substr($phone, 1); } if(substr($phone, 0, 1) == '0'){ $phone = substr($phone, 0); } $phone = ereg_replace("[^[:digit:]]", "", $phone); // Get rid of any non-digits $result = ''; $format_pos = 0; $string_pos = 0; while((strlen(PHONE_FORMAT) - 1) >= $format_pos){ //If its a number => stores it if (is_numeric(substr(PHONE_FORMAT, $format_pos, 1))){ $result .= substr($phone, $string_pos, 1); //$format_pos $string_pos++; //If it is not a number => stores the caracter }else{ $result .= substr(PHONE_FORMAT, $format_pos, 1); } //Next caracter at the mask. $format_pos++; } return $result; } // --------------------------------------------------------------------------------------------- // -- BAD WORD CLEANING ------------------------------------------------------------------------ function word_filter($content) { $badwords = array ( //"ass", "asshole", //"ballsack", "bitch", //"bastard", "clit", //"cock", //"cum", //"cunt", //"dick", //"dike", //"dildo", "fuck", "fucker", "fuckers", "fuckin", "fucking", "fucken", //"gay", //"god damn", //"goddamn", //"hoe", "nigger", //"jackoff", //"jack-off", "jism", "jizm", "pussy", "shit", "shitting", "slut", "twat", "vagina", //"wack", //"whore" ); $wordreplace = array ( "#" ); //"!", "#", "%", "^", "&", "*" ); $count = count($badwords); $countfilter = count($wordreplace); // Loop through the badwords array for ($n = 0; $n < $count; ++$n, next ($badwords)) { //Create random replace characters $x = 2; $y = rand(4,7); $filter = ""; while ($x<="$y") { $f = rand(0,$countfilter); $filter .="$wordreplace[$f]"; $x++; } //Search for badwords in content $search = "$badwords[$n]"; //$content = preg_replace("'$search'i","$filter",$content); //$content = preg_replace("/(\w+)\s+$search\b/i","$filter",$content); $content = preg_replace("/$search\b/i","$filter",$content); } return $content; } function clean_badwords( $process_info ){ if (is_array($process_info)){ // Process the data as array of info foreach ($process_info as $id => $result){ $process_info["$id"] = $this->word_filter($result); } }else{ // process as a string $process_info = $this->word_filter($process_info); } return $process_info; } // --------------------------------------------------------------------------------------------- // -- CROSS SITE SCRIPTING CLEANER ------------------------------------------------------------- function remove_xss($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', //'link', //'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); // Since Scan allert is only concerned about the use of '<' and '>', // and the following code adds a bogus tags (<x>) inside the middle of any tags // outlined in the above array, this script makes things worse to get PCI compliant with Scan Alert. $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(�{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } // These items are to restrict SQL injection hacks // ... but it is very restrictive for form processing, // so I will disable some for now. $val = str_replace (";", "", $val); //";", $val); $val = str_replace ("%", "", $val); //"%", $val); $val = str_replace (">", "", $val); //">", $val); $val = str_replace ("<", "", $val); //"<", $val); //$val = str_replace (")", ")", $val); //$val = str_replace ("(", "(", $val); $val = str_replace ("'", "", $val); //"'", $val); $val = str_replace ('"', "", $val); //""", $val); //$val = str_replace ('-', "-", $val); //$val = str_replace ('+', "-", $val); //$val = str_replace ('=', "-", $val); $val = str_replace ('|', "", $val); return $val; } // --------------------------------------------------------------------------------------------- } // End formcleaner Class ?>