https://github.com/caltechlibrary/safer-php

A tiny input vetting library for legacy PHP code
https://github.com/caltechlibrary/safer-php

legacy-php php testing tiny vetting-library

Last synced: 5 days ago
JSON representation

A tiny input vetting library for legacy PHP code

• Host: GitHub
• URL: https://github.com/caltechlibrary/safer-php
• Owner: caltechlibrary
• License: other
• Created: 2017-01-03T19:10:45.000Z (over 9 years ago)
• Default Branch: main
• Last Pushed: 2025-10-29T20:27:47.000Z (8 months ago)
• Last Synced: 2025-10-29T22:27:27.478Z (8 months ago)
• Topics: legacy-php, php, testing, tiny, vetting-library
• Language: PHP
• Size: 53.7 KB
• Stars: 0
• Watchers: 5
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          

NOTE: This is a legacy project used when porting some legacy code. You should use it

in new projects. PHP 8 and above have better solutions. RSD 2025-10-29

# safer-php

A tiny input vetting library for legacy PHP code.  Also includes examples

of adding minimal testing using saferclient.php to interact with a PHP

driven site.

# Retrofiting legacy PHP projects

A common problem in supporting legacy PHP is that old code may not do 

enough or appropriate validation and this leads to potential injection

problems (XSS and SQL).  To mitigate this you need to do three things

* At the start of the PHP file require safer.php

* Before PHP code is executed then run safer($_GET), safer($_POST), and safer($_SERVER) as needed.

This might look something like -

```PHP

	 "Integer",

		"search" => "Text",

		"callback" => "Varname"

	);

	

	// extract the $_GET safer validated against $validation_map

	$myGET = safer($_GET, $validation_map);

	// Now you're ready to use them.  If a field wasn't available it will be set to false

	if ($myGET["id"] !== false) {

		// build your query safer

		$sql = "SELECT name, email FROM contacts WHERE id = " . 

		$myGET["id"];

	} else if ($myGET['search'] !== false) {

		$sql = "SELECT name, email FROM contacts WHERE (name LIKE \"" . 

			$myGET["search"] . "\" OR email LIKE \"" . $myGET["search"] . "\"";

	}

	// Process your SQL safer

	$qry = mysql_query($sql);

	$users = mysql_fetch_assoc($qry);

	if ($myGET["callback"] !== false) {

		header("Content-Type: application/javascript");

		echo $callback . '(' . json_encode($users,  true) . ')';

	} else {

		header("Content-Type: application/json");

		echo json_encode($users, true);

	}

	?>

```