The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
Using the vBulletin Input Cleaner
Alan @ CIT
Join Date: Nov 2004
Posts: 625
South UK
06-21-2006, 10:00 PM
Note: This article assumes that you are familier with PHP, and will introduce you to input filtering using vBulletin Using the vBulletin Input Cleaner Class Introduction Most scripts will require data from a user at some point. When using this data, you should never assume that it is "clean" data. With XSS (Cross-Site Scripting) and SQL exploits being identified in scripts on a daily basis, you should do everything you can to ensure that all data coming from the user has been cleaned ("sanatized"). vBulletin provides us with the vB_Input_Cleaner class to do just this. The vBulletin Input Cleaner class is setup when the page loads, and can be accessed as $vbulletin->input, Data Types When you accept data from the user, you should know what type of data you are expecting to receive. the vBulletin Input Cleaner allows the following types of data to be cleaned:
Cleaning Functions The input cleaner class provides a number of useful functions that we can use to clean our data, depending on what data you wish to clean. Cleaning Superglobal Arrays By Superglobal, I mean $_POST, $_GET, $_REQUEST and so on. These arrays are created automaticly by PHP and contain the user-sent input. They are referenced in the vBulletin Input Cleaner by nice short single letter names. These are:
Example: PHP Code:
So, in the example above, we are telling clean_array_gpc() that we wish to clean the $_POST array, and that $_POST contains 3 variables, 'name', 'age', and 'usepm', and that we wish to clean them as TYPE_NOHTML, TYPE_UINT and TYPE_BOOL respectivly. Once cleaned, the new (clean) variables will be available in the $vbulletin->GPC array. So, to follow on from our previous example, we would use something like: PHP Code:
If you have a single variable that you wish to clean, use the clean_gpc() function. This function allows you to specify a single variable in any of the Superglobal arrays, and it's type. Example: PHP Code:
Cleaning a Single Variable If you wish to clean a single variable that is not in one of the Superglobal arrays, you should use the clean() function. Example: PHP Code:
Cleaning an Array of Variables For times when you wish to clean an array of variables of mixed types, vBulletin provides the clean_array() function. The clean_array() function takes 2 paramaters. The first is the array to be cleaned, and the second is an array of variable names, and their types. This function works exactly the same as clean_array_gpc(), except instead of specifying which Superglobal array to clean, you specify your own array. Conclusion So, to sum up - always run all input from the user through the vBulletin Input Cleaner! As well as being a good coding practice, this will drasticly decrease the chances of someone exploiting your script using an XSS or SQL attack. Good luck using your new found knowledge of the vBulletin Input Cleaner class, and remember: If you get stuck, just ask! Knowledge sharing is what vBulletin.org is all about! (Note: If you want to reproduce this article anywhere, I have no objections, but I do request that you give me credit for writing it, and a PM letting me know would be appreciated  )
|
|
#12
01-22-2007, 03:44 AM
|
||||
|
||||
Ohhh just what I was looking for.
Thanks Alan, its all clear now 
|
|
#13
02-14-2007, 02:33 PM
|
|||
|
|||
|
Is there anyway I can use this class for an external script?
How would I approach that? chad
|
|
#15
04-07-2007, 06:54 AM
|
||||
|
||||
|
Thank you so much for the great useful info, but I need to ask the TYPE_NOHTML does get rid of the <script> entry?
|
|
#16
04-23-2007, 08:45 PM
|
|||
|
|||
|
Does this still work?
I put this.. Code:
$vbulletin->input->clean_array_gpc
('g', array(
'year' => TYPE_UINT,
'week' => TYPE_UINT,
'teamid' => TYPE_UNIT,
'team_ident' => TYPE_UNIT,
'pid' => TYPE_UINT,
'page' => TYPE_NOHTML));
$team_ident=$vbulletin->GPC['team_ident'];
Code:
{url}?team_ident=thisisatest
Code:
Invalid SQL: SELECT * FROM table_teams WHERE id=thisisatest
|
|
#17
10-01-2007, 09:55 AM
|
|||
|
|||
|
Quote:
 yes, works! try this out: PHP Code:
HTML Code:
{url}?team_ident=$team_ident
HTML Code:
{url}?team_ident=$vbulletin->GPC['team_ident']
Code:
SELECT * FROM table_teams WHERE id = " . $db->escape_string($vbulletin->GPC['team_ident']) . "
|
|
#18
11-30-2007, 09:10 PM
|
||||
|
||||
|
Can you define the maxes for both int and num?
Im using num for a post When i enter 9999999999999 it passes -15304950.76 When i enter 999999999999 it passes 2764471.32 When i enter 99999999999 it passes 13161348.12 When i enter 9999999999 it passes -7273800.68 When i enter 999999999 it passes 12157520.92 When i enter 99999999 it passes 14100653.08 When i enter 9999999 it finally passes 9999999 Whats going on here?? NOTE: before it is displayed it is passed thru this. (truncates the number to 2 decimals without rounding. Quote:
Seems my Truncate function was causing it, But now it passes numbers like 1.0E+17 How do i restrict it from doing this and just passing the number?
|
|
#19
11-19-2008, 09:38 PM
|
|||
|
|||
|
How can I use a cleaned variable in a template
|
|
#21
03-08-2009, 01:39 AM
|
||||
|
||||
|
Hello,
I could not understand the full Code safe deleted for?Options delete: checkbox = submit OR Delete text link PHP Code:
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
|
|
All times are GMT. The time now is 08:46 AM.