1

My question is more about design practice, but where should I start the filtering? I figured the class would be the best place for it, but wouldn't that put the instantiated object ($objReg) at risk for code injection using unfiltered POST variables like that?

How do I get around this problem? Is there a better design for this?

Index.php is the handler for all calls. So for example it will call register.php's function register2() (i.e. index.php?action=register2), and the function in-turn instantiates the object as seen below.

Is this safe you think? I'm trying to follow DRY and OOD principles in order to avoid confusion.

main code @ register.php (includes ommited):

function register2(){
            $objReg = new registration($_POST['username'],$_POST['password'],$_POST['email']);
            $objReg->register();
            unset($objReg);
}

clean class @ security.php:

class clean
{
    public function process($data)
    {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;
    }
}

registration class @ register.class (register method omitted):

class registration
    {
        // Registration stuffs
        private $regUser = NULL;
        private $regPass = NULL;
        private $regEmail = NULL;

        public function __construct($regName, $regPass, $regEmail)
                {
                    //Set the class properties if they aren't NULL.
                    if (!empty($regName) AND !empty($regPass) AND !empty($regEmail)){
                        $objClean = new clean;
                        $this->regUser  = $objClean->process($regName);
                        $this->regPass  = $objClean->process($regPass);
                        $this->regEmail = $objClean->process($regEmail);
                        unset($objClean);
                    }
                }
    }
Kevin
  • 13
  • 5

1 Answers1

0

I think this design is not bad, but usually the sanitization is done in controller in a MVC architecture design. I think the reason is it should be done as soon as possible, so maybe you can do the filtering before calling your class:

function register2(){

    $objClean = new clean;

    $username = $objClean->process($_POST['username']);
    $password = $objClean->process($_POST['password']);
    $email = $objClean->process($_POST['email']);

    $objReg = new registration($username,$password,$email);
    $objReg->register();
    unset($objReg);
}

In this way you pass the parameters to the class already filtered. The functionallity is going to be the same, but this is how it's done usually.

Regarding the way of filtering... If your php version is >= 5.2.0 , you can use function filter_var which is very nice for this. It has a lot of filter types depending of the use of the var. You can see them here.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48