Archive

Archive for March, 2010

Protect class’s properties

March 28, 2010 Comments off

The following class can be used to extend your existent class(es) when you want them to disallow run-time properties instantiation.

class SafeObject


<?php
/**
* base class SafeObject
*
* @description: This base class protects other classes from having properties instantiated at run-time
* @author: Costin Trifan
* @date: 28.03.2010
* @version: 1.0
* @status: release
*/
class SafeObject
{
	/**
	* The list of public properties that can be set to this class
	* @type array
	* @access private
	* @see __get(), __set(), AllowedProperties()
	*/
	private $properties = array();

	/**
	* Whether or not to restrict access to class's properties.
	* @type bool
	* @access private
	* @see RestrictedAccess()
	*/
	private $restricted = true;

/**
*  PRIVATE METHODS
*-------------------------------------------
*/
	private function __clone()
	{
		exit('<br/>Error: You are not allowed to use method [__clone] in class: '.get_class($this));
	}
	private function __sleep()
	{
		exit('<br/>Error: You are not allowed to use method [__sleep] in class: '.get_class($this));
	}
	private function __wakeup()
	{
		exit('<br/>Error: You are not allowed to use method [__wakeup] in class: '.get_class($this));
	}

/**
*  PUBLIC METHODS
*-------------------------------------------
*/
	public function __construct(){}
	public function __destruct(){}

	public function __unset( $var )
	{
		if ($this->restricted)
		{
			exit('<br/>Error: You are not allowed to use method [__unset] in class: '.get_class($this));
	        } 
		unset($var);
       }

	public function __isset( $name )
	{
		return isset($this->properties[$name]);
	}

	public function __toString()
	{
		$str = '';
		foreach($this->properties as $key=>$value)
		{
			$str .= $key . ' = '. $value. '<br/>';
		}
		return $str;
	}
	
	final public function __get( $name )
	{
		if ($this->restricted)
		{
			if (array_key_exists($name, $this->properties)) {
				return $this->properties[$name];
			}
		}
		else {
			if ($this->__isset($name)) {
				return $this->name;
			}
		}
		exit("<br/>Error: Property: [{$name}] was not found!");
	}

	final public function __set( $name, $value )
	{
		if ($this->restricted)
		{
			if (array_key_exists($name, $this->properties)) {
				$this->properties[$name] = $value;
			}
			else { exit("<br/>Error: Property: [{$name}] cannot be set!"); }
		}
		else { $this->name = $value; }
	}

	/**
	* Restrict access to class's properties to only the allowed properties.
	* @return $this
	*/
	final public function AllowedProperties( array $properties )
	{
		if ($this->restricted)
		{
			foreach( $properties as $prop )
			{
				$this->properties[$prop] = null;
			}
		}
		return $this;
	}


	/**
	* Whether or not to restrict access to class's properties.
	* @return $this
	*/
	final public function RestrictedAccess( $value )
	{
		$this->restricted = $value;
		return $this;
	}

}

Tests


/*
*    TESTS
*/

class Test extends SafeObject
{
	public function DoSomething() { echo 'Doing something...'; }
	public function DoSomethingElse() { echo 'Doing something else...'; }
}

$o = new Test();

$o->RestrictedAccess(true)
	->AllowedProperties(array('server','username')); /* << class Test can only have these two public properties */


// ok
$o->server = 'localhost';
echo '<br/>server: ' , $o->server;

// ok
$o->username = 'costin';
echo '<br/>username: ' , $o->username;

// NOT ok
unset($o->username);

// NOT ok
$o->test = 'test';
echo '<br/>test: ' , $o->test;

// __toString()
echo '<br/>' , $o;
?>

Note:

When the RestrictedAccess function’s argument is set to FALSE then that class allows the instantiation of public properties at run-time.

Categories: PHP Tags: ,

Protect your pages against sql injections

March 9, 2010 1 comment

The following function inspects the URL and looks for the (‘) apostrophe; if the apostrophe is found the url will be cut and the page reloaded using the cleaned url.

function CleanRequest


/**
* Remove ' (apostrophe) from URL and cut the url at the first occurrence of the apostrophe
* Prevent sql injections.
*
* @author: Costin Trifan
* @date: 06.05.2009
* @status: release
*/
function CleanRequest( $use = 'http' )
{
	$url = $_SERVER['REQUEST_URI'];
	$url = utf8_decode($url);
	if (($pos = strpos($url, '%27')) !== false)
	{
		$url = substr($url, 0, $pos);
		$url = $use.'://'.$_SERVER['HTTP_HOST'].$url;
		header("Location: ".$url); /*[ reload page using the cleaned url ]*/
		exit;
	}
}

This function can be called on individual pages but I find it to be more useful when called in a config.php file so it can be executed on all pages of a website.

Edit: March, 28 The $use argument has been removed.


/**
* Remove ' (apostrophe) from URL and cut the url at the first occurence of the apostrophe
* Prevent sql injections.
*
* @author: Costin Trifan
* @date: 06.05.2009
* @status: release
* @revision: March 28, 2010;
*	The $use argument has been removed.
*/
function CleanRequest()
{
	$use = 'http';
	if (isset($_SERVER["HTTPS"]) && ($_SERVER["HTTPS"] == "on")) {$use .= 's';}

	$url = $_SERVER['REQUEST_URI'];
	$url = utf8_decode($_SERVER['REQUEST_URI']);
	if (($pos = strpos($url, '%27')) !== false)
	{
		$url = substr($url, 0, $pos);
		$url = $use.'://'.$_SERVER['HTTP_HOST'].utf8_encode($url);
		header("Location: ".$url); /*[ reload page using the cleaned url ]*/
		exit;
	}
}
Categories: PHP Tags:
Follow

Get every new post delivered to your Inbox.