[geeklog-devel] New Data Filtering Class
Blaine Lang
devel at portalparts.com
Wed Nov 12 16:42:02 EST 2008
A couple years ago, I added the sanatize.class.php as a first attempt
for an OO interface and improvements to our COM_applyFilter. I never
really used it nor did anyone else. Over the past months, I have taken
up the cause again and have submitted my latest approach into CVS as
it's replacement.
The filter is a class and allows you to submit an array of variables to
be filtered, optionally set the filtering method per variable and return
the filtered data into a single associative array. The COM_applyFilter
works well for INT and CHAR type filtering but would not handle text
that would be expected to include quotes. This new class has support for
INT, CHAR and TEXT filtering modes and can easily extended. It would be
easy now to add a HTML filter that used the new HTML_purifier pear project.
The class has several methods or ways to use it so that you can either
load up a lot of data to be filtered or just call it one 1 line like
COM_applyFilter works today.
While working on AJAX based projects, you need to filter the data first
for SQL use and then run stripslashes on the data if your returning the
data to your AJAX hander code to update the webpage. To better handle
this, I have added methods to return data filtered and prep'ed for DB or
Web.
The following are my comments from the class file.
<<>>
/* This class can be used to filter a single variable or an array of data
* Three filtering modes are currently supported but the class can
easily be extended
* Mode int: will return integer value or 0 if NULL or non-integer
* Mode char: strong character filter that will remove any HTML or quotes
* Mode text: Use for text fields and will use the site HTML filtering
functions and user allowable HTML returned as well as quotes
*
* Data can be returned filtered or optionally prep'ed for DB or Web use
* Usage Examples:
* $filter = new sanitizer();
*
* Example 1: Load up data to be filtered and then call method to return
data prep'ed for DB, Web or default format
* Better if you have a lot of data to filter and if you want to return
it for DB and Web Presentation format
$filter = new sanitizer();
$charvars = array(
'id' => $_REQUEST['id'],
'mode' => $_REQUEST['mode']
);
$textvars = array(
'title' => $_REQUEST['movietitle'], // Able to change the
key that will be used in filtered return array
'desc' => $_REQUEST['moviedesc'],
'keywords' => $_REQUEST['keywords'],
);
// Initialize the filter and load the data and types to be filtered
$filter = new nexfilter();
$filter->cleanData('char',$charvars);
$filter->cleanData('text',$textvars);
$dbData = $filter->getDbData(); // Filtered data is prep'ed for
SQL use - addslashes added
$webData = $filter->getWebData(); // Filtered data like text
filtered data with stripslashes already done
$title = $dbData['title'];
DB_query("UPDATE {$_TABLES['media']} SET title='{$dbData['title']}
WHERE id='{$dbData['id']}'");
* Example 2: Define the variables to be filtered, mode and returns
sanitized data
* Not able to specify SUPER GLOBAL to filter data from unless you call
multiple methods
* but you can specify multiple filtering modes. Methods for GET, POST,
REQUEST and COOKIE
$filter = new sanitizer();
$clean = $filter->cleanPostData(array('movietitle' => 'text', 'id' =>
'int'));
DB_query("UPDATE {$_TABLES['media']} SET title='{$clean['movietitle']}
WHERE id='{$clean['id']}'");
* Example 3: Pass in multiple variables but a single filtering mode
$clean = $filter->getCleanData('text', array('title' =>
$_POST['movietitle'],'desc' => $_POST['moviedesc'] ));
* Example 4: Pass in a single variable to sanitize
$id = $filter->getCleanData('int',$_GET['id']);
* How to extend allowable types - add a new function
* Example Type: Int -- function _cleanInt(), so adding a function
called _cleanDate could be added for a date filter
*/
More information about the geeklog-devel
mailing list