PHP: Cleaning input from multiple parameter sources

In PHP, parameters can arrive into a page from multiple sources: GET, POST, SESSION variables, cookies, etc. There are often situations where an expected parameter can arrive from more than one of these variable scopes. Rather than write conditional code to check each possible scope for the incoming variable, I wrote a piggy-back method called captureArg() on top of an open-source input filter class (called “$clean” in the examples below) I found on the Net (there are numerous excellent examples; pick one).

Let’s say I have a form action script that processes a user’s form submission, grabs values from a database based on criteria found in the incoming fields, and returns the result set. The script is expecting a field called ‘sk’ (for search keyword), and it may arrive from either the GET or POST scope, but may also have a favorite value stored as a cookie or even a session variable. Rather than check all four, I call captureArg() like this:

require_once 'class.input_filter.php';
$clean = new input_filter();
$tSelectionKeyword = $clean->captureArg('sk', 'VAR');

In this example, I call the captureArg() method within the input_filter class, and pass it the name of the parameter and it’s expected type. The function is smart enough to use ‘VAR’, ‘TEXT’, ‘TXT’, or ‘CHAR’ interchangeably. I can also pass an optional default value as the third method parameter in case the variable ‘sk’ doesn’t exist in any of the known scopes. In this example, I’m leaving it up to the method to set a default value.

At this point, I can use captureArg() to collect just about any incoming parameter using a single line of code, without having to guess what variable scope it exists within. Here are some examples:

$tUserID = $clean->captureArg('user_id');   // Integer type with a default value of zero

$tPostDate = $clean->captureArg('post_date', 'DATE', '1980-01-01', 'Y-m-d');
// Date type, default value, and format

$tOrderTotal = $clean->captureArg('order_total', 'FLOAT', '0.0');

Want to see how the code works? As you can see, it can be expanded to include multiple variable types, and even additional variable scopes pretty easily.

function captureArg($pInval = '', $pType = 'INT', $pDefaultValue = '0', $pDateFormat='Y-m-d') {

if ( isset($HTTP_SESSION_VARS[$pInval])) {
    $tRetVal = $this->process($HTTP_SESSION_VARS[$pInval]);
} else if ( isset($_POST[$pInval]) ) {
    $tRetVal = $this->process($_POST[$pInval]);
} else if ( isset($_GET[$pInval]) ) {
    $tRetVal = $this->process($_GET[$pInval]);
} else {
    $tRetVal = $pDefaultValue;
}
$tType = strtoupper($pType);

switch ($tType) {
    case 'INT':
        $tRetVal = intval($tRetVal);
        break;
    case 'FLOAT':
        $tRetVal = floatval($tRetVal);
        break;
    case ($tType == 'VAR' || $tType == 'TEXT' || $tType == 'TXT' || $tType == 'CHAR'):
        $tRetVal = trim($tRetVal);
        break;
    case 'DATE':
        $tRetVal = date($pDateFormat, strtotime(trim($tRetVal)));
        break;
    default:
        $tRetVal = trim($tRetVal);
    }

return $tRetVal;
}

You may notice a call to a local method called $this->process(). The process() method is included in the input filter class I obtained and performs several input filtering techniques, including the removal of HTML tags, etc.

August 12th, 2010 in PHP code, Processes | tags:

Leave a comment

You must be logged in to post a comment.