Cleaning up Your Inputs in PHP

    July 10, 2006

Cleaning up your inputs from $_POST, $GET and $_REQUEST is an important task if you’re looking at security of your PHP applications.

You can prevent most kinds on Cross Site Scripting (XSS) attacks if you know how to clean up the user inputs. Here’s how to do it using an Input filtering class from PHP Classes. To get started, head over to the PHP Classes page for the Input Filter Class by Daniel Morris and download the class file. (

Once you get the class file, here’s how you can go about cleaning up your input variables.

<?php $before = $_REQUEST['before']; $myFilter = new InputFilter(); $after = $myFilter->process($before); echo $after; ?>

So if you pass the string “<script>alert(‘xss’);</script> to the code above, the input filter changes this to alert(‘xss’); after removing the script tags. All you have to do is to instantiate the InputFilter class with the following line: $myFilter = new InputFilter();

and run your string to be processed using the process class:

$after = $myFilter->process($before);

You can also send entire arrays to be processed by the InputFilter class:

$_POST = $myFilter->process($_POST);

This class can also be used to remove specific HTML tags from your input string. Let’s say for example, you want to remove all the bold tags < b> and < strong> from your HTML string, all you need to do is :

<?php include 'class.inputfilter.php'; $before = $_REQUEST['before']; $tags = array("b","strong"); $myFilter = new InputFilter($tags, array(),1, 1); $after = $myFilter->process($before); echo $after; ?>

If we pass the string “<strong> test</strong> <em>hello world</em>” the output of the script will be “test < em>hello world < /em>”

If you’d like to retain only the < b> and <strong> tags in the above example, change line 4 to read

$myFilter = new InputFilter($tags, array(),0, 1);

This will change the output to < strong>test < /strong> hello world Let’s break up the constructor for the InputFilter class :

InputFilter($tagsArray, $attrArray, $tagsMethod , $attrMethod);

$tagsArray is an array of user defined tags $arrtArray is an array of user defined attributes $tagsMethod = 0 or 1 where 0 is used when only user defined tags should be allowed. 1 is used to strip the user defined tags. Similarly $attrMethod is used to retain user defined attributes is it’s set as 0 and to strip user defined attributes if set to 1.

Let’s see the attribute filtering provided by this class in action. Let’s take the following HTML string as an example:

<img src="test.jpg" target="_blank" onclick="dosomething();" onmouseover="dosomethingelse();">

Let’s make an filter to just retain the src and target attributes in the HTML above

$tags = array("img","b"); $attr = array("src","target"); $myFilter = new InputFilter($tags, $attr,0, 0); $after = $myFilter->process($before);

The output should show

<img src="test.jpg" target="_blank>

It’s as simple as that.

Add to | DiggThis | Yahoo! My Web | Furl

Vinu Thomas is a consultant on Webdesign and Internet Technologies. His website is You can discuss about this article or any PHP/MYSQL related issues in our Discussion Forums: