How to do generic php injection detection?

software development

#1

Hi,

Can some smart person help me with my php injection detection (hey, snappy!) code?

I found this code on php.net:


//clean input in case of header injection attempts!
function clean_input_4email($value, $check_all_patterns = true)
{
$patterns[0] = ‘/content-type:/’;
$patterns[1] = ‘/to:/’;
$patterns[2] = ‘/cc:/’;
$patterns[3] = ‘/bcc:/’;
if ($check_all_patterns)
{
$patterns[4] = ‘/\r/’;
$patterns[5] = ‘/\n/’;
$patterns[6] = ‘//’;
$patterns[7] = ‘//’;
}
//NOTE: can use str_ireplace as this is case insensitive but only available on PHP version 5.0.
return preg_replace($patterns, “”, strtolower($value));
}

$name = clean_input_4email($_POST[“name”]);
$email = clean_input_4email($_POST[“email”]);
$thesubject = clean_input_4email($_POST[“thesubject”]);
$themessage = clean_input_4email($_POST[“themessage”], false);

$error_msg=‘ERROR - not sent. Try again.’;

but the php form processor I use just allows any field in the form into the email, like so


$incoming_fields = array_keys($HTTP_POST_VARS);
$incoming_values = array_values($HTTP_POST_VARS);

Is there an easy way to clean up all the data posted from the form before being processed by a php form processor in a generic fashion? Or any other advice appreciated.

Thanks for any help.