Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • Sanitization in Cakephp 2

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 646
    Comment on it

    Sanitization in Cakephp 2

    Sanitize in Cakephp is used to rid user submitted data and any other unwanted information.  Sanitize can be used anywhere in controllers or models. Before using Sanitization, you need to import its library by calling it before the core controller class

     

    App::import('Sanitize');
    
    class MyController extends AppController {
        ...
        ...
    }

     

    Now you can use Sanitize methods in MyController. There are many methods provided for data sanitization in Cakephp 2. These are:

     

    paranoid

     

    Syntax: paranoid(string $string, array $allowedChars);

    This function will strip out plain-jane alphanumeric character of the target $string. This will return string (sanitized string).

     

    Write the following code in the controller to get rid of the bad string.

     

    $string = ";^;:@@ <script><html><   // >@@#";
    echo Sanitize::paranoid($string);
    // output: scripthtml
    echo Sanitize::paranoid($string, array(' ', '@'));
    // output: @@ scripthtml    @@

     

    html

    Syntax: html(string $string, boolean $remove = false)

    • remove (boolean): If it is set to true then it will strip all HTML tags before encoding
    • string:  the charset used to encode the string

    It will return string (sanitized string).

    This method is used to strip the HTML completely if $remove is set to true. If you don't want to break your images or layouts or scripts inside your HTML pages then this method is very useful. It will detect HTML content and will be removed rather than rendering as HTML entities.

    Sanitize::html(): will call htmlentities()

     

    Write the code below to get rid of bad string.

     

    $string = '<font size="99" color="#FF0000">hello world</font><script>....</script>';
    echo Sanitize::html($string);
    // output: &lt;font size=&quot;99&quot; color=&quot;#FF0000&quot;&gt;hello world&lt;/font&gt;&lt;script&gt;....&lt;/script&gt;
    echo Sanitize::html($string, true);
    // output: hello world....
    

     

    escape

    Syntax: escape(string $string, string $connection)

    • string: String to sanitize
    • connection: optional is default. It is name of the database connection, as named in your app/config/database.php file

    It will return string (sql safe string).

    This method is used to escape SQL statements by adding slashes depending on current magic_quotes_gpc setting of the system. This method is alternative of mysql_real_escape_string in php.

     

    clean

     

    Syntax:  Sanitize::clean(mixed $data, mixed $options)

    • $options: This argument can either be a string or an array. It is a database connection name when a string is provided. It will be merged with the following options if an array is provided:  encode, backslash, escape, connection, dollar, odd_spaces, carriage and unicode.

    This function is multi-purpose cleaner, that can be used on entire arrays (For example  $this->data). This will return the clean version. This function takes an array or string.  This is how Sanitize::clean method can be used.

    $this->data = Sanitize::clean($this->data, array('encode' => false));

     

    stripWhitespace

    Syntax: Sanitize::stripWhitespace($string)

    • $string: String to sanitize

    This will return string whitespace sanitized string.  This is the function for stripWhitespace

    public static function stripWhitespace($str) {
          return preg_replace('/\s{2,}/u', ' ', preg_replace('/[\n\r\t]+/', '', $str));
    }

     

    This method is used to remove this characters: \r, \n and \t, and replace 2 or more spaces with just one.

     

    stripAll

    Syntax: stripAll( string $str )

    • $string: String to sanitize

    This will return sanitized string.

    This method will strip extra whitespace, images, scripts and stylesheets from output.

     

    public static function stripAll($str) {
           return Sanitize::stripScripts(
               Sanitize::stripImages(
                   Sanitize::stripWhitespace($str)
               )
           );
    }

     

     

    stripImages

     

    Syntax: stripImages( string $str )

    • $string: String to sanitize

    This method will return string with images stripped.

     

    public static function stripImages($str) {
             $preg = array(
                 '/(<a[^>]*>)(<img[^>]+alt=")([^"]*)("[^>]*>)(<\/a>)/i' => '$1$3$5<br />',
                 '/(<img[^>]+alt=")([^"]*)("[^>]*>)/i' => '$2<br />',
                 '/<img[^>]*>/i' => ''
             );
     
             return preg_replace(array_keys($preg), array_values($preg), $str);
    }

     

    stripScripts

    Syntax: stripScripts( string $string )

    • $string: String to sanitize

    This will return string with ..

    This method will Strip scripts and stylesheets from output

     

    public static function stripScripts($str) {
             $regex =
                 '/(<link[^>]+rel="[^"]*stylesheet"[^>]*>|' .
                 '<img[^>]*>|style="[^"]*")|' .
                 '<script[^>]*>.*?<\/script>|' .
                 '<style[^>]*>.*?<\/style>|' .
                 '<!--.*?-->/is';
             return preg_replace($regex, '', $str);
    }

     

     

    Thanks for reading

     

 0 Comment(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: