Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > vBulletin 3 Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Using the vBulletin Input Cleaner
Alan @ CIT
Join Date: Nov 2004
Posts: 625

 

South UK
Show Printable Version Email this Page Subscription
Alan @ CIT Alan @ CIT is offline 06-21-2006, 10:00 PM

Note: This article assumes that you are familier with PHP, and will introduce you to input filtering using vBulletin

Using the vBulletin Input Cleaner Class

Introduction

Most scripts will require data from a user at some point. When using this data, you should never assume that it is "clean" data. With XSS (Cross-Site Scripting) and SQL exploits being identified in scripts on a daily basis, you should do everything you can to ensure that all data coming from the user has been cleaned ("sanatized").

vBulletin provides us with the vB_Input_Cleaner class to do just this.
The vBulletin Input Cleaner class is setup when the page loads, and can be accessed as $vbulletin->input,

Data Types

When you accept data from the user, you should know what type of data you are expecting to receive. the vBulletin Input Cleaner allows the following types of data to be cleaned:
  • TYPE_NOCLEAN
    Will not be cleaned
  • TYPE_BOOL
    Will check it is either true or false
  • TYPE_INT
    Will check that it is an integer
  • TYPE_UINT
    Will check that it is an unsigned integer
  • TYPE_NUM
    Will check that it is a number
  • TYPE_UNUM
    Will check that it is an unsigned number
  • TYPE_UNIXTIME
    Will check that it is a unix-style timestamp (unsigned int)
  • TYPE_STR
    Will check that it is a string, and runs trim() on it
  • TYPE_NOTRIM
    Will check that it is a string and will not run trim() on it
  • TYPE_NOHTML
    WIll check that it is a string and run htmlspecialchars_uni() and trim() on it
  • TYPE_ARRAY
    WIll check that it is an array
  • TYPE_FILE
    Will check that it is a file (ie, uploaded by the user)
You can also clean arrays of these types by using TYPE_ARRAY_<type>. For example, if you had an array of numbers, you could use TYPE_ARRAY_INT, or TYPE_ARRAY_NUM.

Cleaning Functions

The input cleaner class provides a number of useful functions that we can use to clean our data, depending on what data you wish to clean.

Cleaning Superglobal Arrays

By Superglobal, I mean $_POST, $_GET, $_REQUEST and so on. These arrays are created automaticly by PHP and contain the user-sent input. They are referenced in the vBulletin Input Cleaner by nice short single letter names. These are:
  • p - $_POST
  • g - $_GET
  • r - $_REQUEST
  • s - $_SERVER
  • e - $_ENV
  • c - $_COOKIE
  • f - $_FILES
The vBulletin Input Cleaner class provides the clean_array_gpc() function which allows us to clean data in these Superglobal arrays in one hit, without having to clean every individual variable in them.

Example:
PHP Code:
$vbulletin->input->clean_array_gpc('p', array(
'name' => TYPE_NOHTML,
'age' => TYPE_UINT,
'usepm' => TYPE_BOOL
)); 
As you can see from this example, clean_array_gpc() takes 2 paramaters. The first paramater specifies which Superglobal array you wish to clean, and the second is an array of variables and their types.

So, in the example above, we are telling clean_array_gpc() that we wish to clean the $_POST array, and that $_POST contains 3 variables, 'name', 'age', and 'usepm', and that we wish to clean them as TYPE_NOHTML, TYPE_UINT and TYPE_BOOL respectivly.

Once cleaned, the new (clean) variables will be available in the $vbulletin->GPC array. So, to follow on from our previous example, we would use something like:

PHP Code:
echo 'Your name is ' $vbulletin->GPC['name'] . '<br />';
echo 
'Your age is ' $vbulletin->GPC['age'] . '<br />;
// etc... 
Cleaning a Single Superglobal Variable

If you have a single variable that you wish to clean, use the clean_gpc() function. This function allows you to specify a single variable in any of the Superglobal arrays, and it's type.

Example:
PHP Code:
$vbulletin->input->clean_gpc('g''age'TYPE_UINT);
echo 
'Your age is: ' $vbulletin->GPC['age']; 
In this example, the 'age' variable in the $_GET Superglobal array will be cleaned to make sure it is an unsigned integer.

Cleaning a Single Variable

If you wish to clean a single variable that is not in one of the Superglobal arrays, you should use the clean() function.

Example:
PHP Code:
$cleaned_var $vbulletin->input->clean($dirty_varTYPE_NOHTML); 
From this example you can see that clean() takes 2 paramaters. The first is the variable that you wish to clean and the second is its type. Unlike the last 2 functions, clean() returns the variable directly.

Cleaning an Array of Variables

For times when you wish to clean an array of variables of mixed types, vBulletin provides the clean_array() function. The clean_array() function takes 2 paramaters. The first is the array to be cleaned, and the second is an array of variable names, and their types.

This function works exactly the same as clean_array_gpc(), except instead of specifying which Superglobal array to clean, you specify your own array.

Conclusion

So, to sum up - always run all input from the user through the vBulletin Input Cleaner! As well as being a good coding practice, this will drasticly decrease the chances of someone exploiting your script using an XSS or SQL attack.

Good luck using your new found knowledge of the vBulletin Input Cleaner class, and remember: If you get stuck, just ask! Knowledge sharing is what vBulletin.org is all about!

(Note: If you want to reproduce this article anywhere, I have no objections, but I do request that you give me credit for writing it, and a PM letting me know would be appreciated )
Reply With Quote
  #12  
Old 01-22-2007, 03:44 AM
Billspaintball's Avatar
Billspaintball Billspaintball is offline
 
Join Date: Sep 2003
Location: Bathurst, Au
Posts: 649
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ohhh just what I was looking for.

Thanks Alan, its all clear now
Reply With Quote
  #13  
Old 02-14-2007, 02:33 PM
ccasselman ccasselman is offline
 
Join Date: Sep 2006
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Is there anyway I can use this class for an external script?

How would I approach that?

chad
Reply With Quote
  #14  
Old 02-24-2007, 02:53 PM
Adrian.'s Avatar
Adrian. Adrian. is offline
 
Join Date: Oct 2005
Location: South Yorkshire
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Does this work on vB 3.0.x?

I can't seem to get it working.
Reply With Quote
  #15  
Old 04-07-2007, 06:54 AM
adhari_com's Avatar
adhari_com adhari_com is offline
 
Join Date: May 2004
Location: Bahrain
Posts: 74
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you so much for the great useful info, but I need to ask the TYPE_NOHTML does get rid of the <script> entry?
Reply With Quote
  #16  
Old 04-23-2007, 08:45 PM
cashpath cashpath is offline
 
Join Date: Jul 2003
Posts: 216
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Does this still work?

I put this..

Code:
	 $vbulletin->input->clean_array_gpc
	 ('g', array(
	  'year' => TYPE_UINT,
	  'week' => TYPE_UINT,
	  'teamid' => TYPE_UNIT,
      'team_ident' => TYPE_UNIT,
	  'pid' => TYPE_UINT,
	  'page' => TYPE_NOHTML));
$team_ident=$vbulletin->GPC['team_ident'];
And when I pass
Code:
{url}?team_ident=thisisatest
I get a mysql error
Code:
Invalid SQL:
SELECT * FROM table_teams WHERE id=thisisatest
Reply With Quote
  #17  
Old 10-01-2007, 09:55 AM
foxfirediego foxfirediego is offline
 
Join Date: Aug 2005
Location: Brazil
Posts: 63
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by cashpath View Post
Does this still work?

I put this..

Code:
	 $vbulletin->input->clean_array_gpc
	 ('g', array(
	  'year' => TYPE_UINT,
	  'week' => TYPE_UINT,
	  'teamid' => TYPE_UNIT,
      'team_ident' => TYPE_UNIT,
	  'pid' => TYPE_UINT,
	  'page' => TYPE_NOHTML));
$team_ident=$vbulletin->GPC['team_ident'];
And when I pass
Code:
{url}?team_ident=thisisatest
I get a mysql error
Code:
Invalid SQL:
SELECT * FROM table_teams WHERE id=thisisatest
a lil too late
yes, works!
try this out:
PHP Code:
$vbulletin->input->clean_array_gpc('g', array(
      
'year' => TYPE_INT,
      
'week' => TYPE_INT,
      
'teamid' => TYPE_INT,
      
'team_ident' => TYPE_INT,
      
'pid' => TYPE_INT,
      
'page' => TYPE_NOHTML));

$team_ident $vbulletin->GPC['team_ident']; 
HTML Code:
{url}?team_ident=$team_ident
OR
HTML Code:
{url}?team_ident=$vbulletin->GPC['team_ident']
also, escape ur mysql statement:
Code:
SELECT * FROM table_teams WHERE id = " . $db->escape_string($vbulletin->GPC['team_ident']) . "
Reply With Quote
  #18  
Old 11-30-2007, 09:10 PM
Blaine0002's Avatar
Blaine0002 Blaine0002 is offline
 
Join Date: Jul 2003
Location: Wisconsin.
Posts: 1,350
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can you define the maxes for both int and num?

Im using num for a post
When i enter 9999999999999 it passes -15304950.76
When i enter 999999999999 it passes 2764471.32
When i enter 99999999999 it passes 13161348.12
When i enter 9999999999 it passes -7273800.68
When i enter 999999999 it passes 12157520.92
When i enter 99999999 it passes 14100653.08
When i enter 9999999 it finally passes 9999999

Whats going on here??

NOTE: before it is displayed it is passed thru this. (truncates the number to 2 decimals without rounding.
Quote:
function truncate($number, $places){
return intval($mynumber * pow(10,$places))/pow(10,$places);
}
$vbulletin->GPC['num'] = truncate($vbulletin->GPC['num'], 2);
--------------- Added [DATE]1196465816[/DATE] at [TIME]1196465816[/TIME] ---------------

Seems my Truncate function was causing it, But now it passes numbers like
1.0E+17

How do i restrict it from doing this and just passing the number?
Reply With Quote
  #19  
Old 11-19-2008, 09:38 PM
ForgotenDynasty ForgotenDynasty is offline
 
Join Date: Jul 2008
Posts: 98
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

How can I use a cleaned variable in a template
Reply With Quote
  #20  
Old 12-10-2008, 06:36 PM
Jafo232 Jafo232 is offline
 
Join Date: May 2004
Posts: 1,122
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Does TYPE_NOHTML really clean HTML? I mean, take out script tags, etc?
Reply With Quote
  #21  
Old 03-08-2009, 01:39 AM
Adem GEN?'s Avatar
Adem GEN? Adem GEN? is offline
 
Join Date: Apr 2005
Location: İstanbul / T?rkiye
Posts: 377
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hello,
I could not understand the full

Options delete:
checkbox = submit OR Delete text link

Code safe deleted for?

PHP Code:
("DELETE FROM " TABLE_PREFIX "table_name
            WHERE xxx_id = '"
.$_GET['id_delete']."'"); 
Thanks
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:04 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04774 seconds
  • Memory Usage 2,339KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (7)bbcode_code
  • (2)bbcode_html
  • (6)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (11)post_thanks_box
  • (7)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete