p { margin-bottom: 0.21cm; }code.cjk { font-family: "DejaVu Sans",monospace; }a:link { }

Well it's been a busy year for ImpressCMS with lots of new changes in the core from 1.3. In this post i'm going to discuss 1 new function that has been created for use in filtering & sanitizing user content.

the function I am going to explain is part of the new DataFilter class.

firstly, to use the new class, you simply call the class statically, that is, there is no need to create an instance of it in order to use it.

now to the function checkVar(), there are many parameters that can be used in this function, and although it may seem complicated at first viewing, it really isn't complicated to use.

to use the function in your code you simply do the following

$var = icms_core_DataFilter($var, $type, $option1, $option2);

$var is the variable you want to check or sanitize.

$type is the type of filter you want to check $var with.

$options 1 & 2 are options you want to use for that specific filter.

currently there are 7 different types of filter you can use for $type

url, email, ip, str, int, html & text

each of these has it's own options available.

I will start with the 'url' type.

$type = 'url'

options available for $option1

'scheme' = URL must be an RFC compliant URL (like http://example)
'host' = URL must include host name (like http://www.example.com)
'path' = URL must have a path after the domain name (like www.example.com/example1/)
'query' = URL must have a query string (like "example.php?name=Vaughan&age=34")

options available for $option2

'true' = URLEncode the URL (ie. http://www.example > http%3A%2F%2Fwww.example)
'false' = Do Not URLEncode the URL

at this point, i will point out that the return value is mixed, that is, it could return TRUE or FALSE or even a $value depending on your usecase

to validate & sanitize a typical URL (http://www.impresscms.org)

$url = 'http://www.impresscms.org';

$url = icms_core_DataFilter::checkVar($url, 'url');

if (!$url) { echo 'Invalid URL'; }

echo $url; // should display 'http://www.impresscms.org' if the value was valid

to check same URL but return the value URL Encoded

$url = 'http://www.impresscms.org';

$url = icms_core_DataFilter::checkVar($url, 'url', 0, 1);

if (!$url) { echo 'Invalid URL'; }

echo $url; // should return 'http%3A%2F%2Fwww.impresscms.org' if the value was valid

to check same URL but using the query parameter set in option1

$url = 'http://www.impresscms.org';

$url = icms_core_DataFilter::checkVar($url, 'url', 'query');

if (!$url) { echo 'Invalid URL'; }

the above should return 'Invalid URL' because $url did not contain a query string such as ( http://www.impresscms.org/example.p ... amp;age=34 )

$type = 'email'

options available for $option1

'0' or 'false' = Generate an email address that is NOT protected from spammers.

'1' or 'true' = Generate an email address that is protected from spammers.

options available for $option2

'0' or 'false' = do not use the banned email list.

'1' or 'true' = Reject if email is listed in the banned email address list..

to use;

$email = 'vaughan@impresscms.org';

$email = icms_core_DataFilter::checkVar($email, 'email');

if (!$email) { echo 'Invalid Email'; }

echo $email; // should display 'vaughan@impresscms.org' if the value was valid

$email = 'vaughan@impresscms.org';

$email = icms_core_DataFilter::checkVar($email, 'email', 1);

if (!$email) { echo 'Invalid Email'; }

echo $email; // should display 'vaughan at impresscms dot org' if the value was valid

$email = 'vaughan@impresscms.org';

$email = icms_core_DataFilter::checkVar($email, 'email', 0, 1);

if (!$email) { echo 'Invalid Email'; }

echo $email; // should display 'vaughan@impresscms.org' if the value was valid & not in the bad_emails or spamlist.

$type = 'ip'

options available for $option1

'ipv4' = Requires the value to be a valid IPv4 IP (like 255.255.255.255)

'ipv6' = Requires the value to be a valid IPv6 IP (like 2001:0db8:85a3:08d3:1319:8a2e:0370:7334)

options available for $option2

not used/required.

to use;

$ip = '127.0.0.1';

$ip = icms_core_DataFilter::checkVar($ip, 'ip', 'ipv4');

if (!$ip) { echo 'Invalid IP'; }

echo $ip; // should display '127.0.0.1' if the value was a valid IPv4 address

$ip = '2001:0db8:85a3:08d3:1319:8a2e:0370:7334';

$ip = icms_core_DataFilter::checkVar($ip, 'ip', 'ipv6');

if (!$ip) { echo 'Invalid IP'; }

echo $ip; // should display '2001:0db8:85a3:08d3:1319:8a2e:0370:7334' if the value was valid Ipv6

$type = 'str'

options available for $option1

'noencode' = Do NOT encode quotes

'strlow' = Strip characters with ASCII value below 32

'strhigh' = Strip characters with ASCII value above 127

'encodelow' = Encode characters with ASCII value below 32

'encodehigh' = Encode characters with ASCII value above 127

'encodeamp' = Encode the & character to &

options available for $option2

not used/required.

to use;

$str = 'testing string';

$str = icms_core_DataFilter::checkVar($str, 'str');

echo $str; // should return 'testing string' unsafe characters are removed

$str = 'testing & testing';

$str = icms_core_DataFilter::checkVar($str, 'str', 'encodeamp');

echo $str; // should return 'testing & testing' unsafe characters are removed and & is encoded.

$type = 'int'

will validate if the value is an integer or not. If $options 1 & 2 are also set, it will validate that the value is between those ranges.

options available for $option1

'any integer value' = the minimum value of the integer range

options available for $option2

'any integer value' = the maximum value of the integer range

to use;

$int = '2500';

$int = icms_core_DataFilter::checkVar($int, 'int');

if(!$int) { echo 'Value not an integer';}

echo $int; // should return '2500'

$int = '2500';

$int = icms_core_DataFilter::checkVar($int, 'int', 1000, 3000);

if(!$int) { echo 'Value is not between $option1 & $option2'; }

echo $int; // should return '2500'

$int = '2500';

$int = icms_core_DataFilter::checkVar($int, 'int', 1000, 2000);

if(!$int) { echo 'Value is not between $option1 & $option2'; }

// should return invalid because the value is not between the range set in $option1 & 2

$type = 'html'

This type should always be used when dealing with HTML.

options available for $option1

'input' = Filters HTML for input to DB (we should always use this to sanitize html BEFORE input to DB!!

'output' = Filters HTML for rendering output to screen. Very light filtering if any (You must make sure that HTML is filtered before inputting to the DB, no exceptions!)

'print' = Filters HTML for output to Printer (not used yet)

options available for $option2

not used/required for HTML type

to use;

$html = '<div id=”test”>TESTING HTML INPUT TO DB</div>';

$html = icms_core_DataFilter::checkVar($html, 'html', 'input');

echo $html; // will return valid W3C XHTML compliant & sanitized safe HTML for storing in the DB. Always use this when dealing with HTML input.

$html = '<div id=”test”>TESTING HTML INPUT TO DB</div>';

$html = icms_core_DataFilter::checkVar($html, 'html', 'output');

echo $html; // will display HTML for page output, WARNING! - only light filtering (if any) is done on output, it is mandatory to use the input method before storing any HTML in the DB.

$type = 'text'

This type should always be used when dealing with Plaintext areas only!.

options available for $option1

'input' = Filters plaintext for input to DB (we should always use this BEFORE input to DB!!) will preserve [BBCODE]

'output' = Filters plaintext for rendering output to screen. Will convert [BBCODE] (if any) to html for rendering text for output to screen

'print' = Filters plaintext for output to Printer (not used yet)

options available for $option2

not used/required for Text type

to use;

$text = 'this is a test bold test';

$text = icms_core_DataFilter::checkVar($text, 'text', 'input');

echo $text; // will return 'this is a test bold test', text is filtered and treated with htmlspecialchars()

$text = 'this is a test bold test';

$text = icms_core_DataFilter::checkVar($text, 'text', 'output');

echo $text; // will display 'this is a test <strong>bold test</strong>', Note! - use this for output purposes only as we want to preserve bbcode when storing to DB so use input for UPDATE/SET queries (user input).

To compliment the excellent articles written by Steve regarding ImpressCMS 1.3 onwards, I'm going to discuss briefly a few new conventions and replacements of functions in the core that are no longer neccessary.

To begin with in this part, i'm going to look at filtering & sanitzing of content.  This will not be an exhaustive article & in no way details the full changes that are likely to take place, this is just some areas that I will be looking at.  Neither am I going to delve into the concepts of security in this article, it's just a simple explanation of some changes that are to be made to better secure & improve the core as a whole, and a reminder for me so that I don't forget..

keep reading ...