* Function to secure input strings
*
* @param $str The unsecured string
+ * @param $strip Strip tags
* @return $str A (hopefully) secured string against XSS and other bad things
*/
-function secureString ($str) {
- $str = trim(strip_tags($str));
+function secureString ($str, $strip=true) {
+ // Shall we strip HTML code?
+ if ($strip) $str = strip_tags($str);
+
+ // Trim string
+ $str = trim($str);
+
+ // Encode in entities
$str = htmlentities($str, ENT_QUOTES);
return $str;
}
// Run only once this security check/exchange
if (defined('__SECURITY')) return;
-// Fatal messages goes here
-global $FATAL;
-$FATAL = array();
-
// Runtime/GPC quoting is off now...
@set_magic_quotes_runtime(false);
@ini_set('magic_quotes_gpc', false); // This may not work on some systems
$_POST = $GLOBALS['_POST'];
}
-if (!isset($_COOKIE)) {
- global $_COOKIE;
- $_COOKIE = $GLOBALS['_COOKIE'];
-}
-
// Include IP-Filter here
//require("/usr/share/php/ipfilter.php");
$_POST[$seckey] = strip_tags($_POST[$seckey]);
}
}
-
- // ... and finally cookies
- foreach ($_COOKIE as $seckey => $secvalue) {
- if (is_array($secvalue)) {
- // Throw arrays away...
- unset($_COOKIE[$seckey]);
- } else {
- // Only variables are allowed (non-array) but we secure them all!
- foreach ($SEC_CHARS['from'] as $key => $char) {
- // Pass all through
- $_COOKIE[$seckey] = str_replace($char , $SEC_CHARS['to'][$key], $_COOKIE[$seckey]);
- }
-
- // Strip all other out
- $_COOKIE[$seckey] = strip_tags($_COOKIE[$seckey]);
- }
- }
}
// Activate caching or transparent compressing when it is not already done