Since I’m switching jobs soon, I have been interviewing some developers to replace me at my current position. It has astounded me how many candidates don’t really know what I’m talking about when I start asking about securing web applications against injection. In light of that, I thought I would share a simple input validation class that I wrote. Certainly, it’s not the best out there, but looking it over should give you a good idea of what input validation entails. Code below:

<?php

/**
* @author vsloathe
* @copyright 2008
* CCL - Feel free to distribute this work, just leave the credit to the author intact.
* Usage:
* $IV = new inputValidator();
* $IV->input = ‘90210′;
* $zip = $IV->expectZipCode();
*/

class inputValidator
{
var $input;
var $scrubbed;
function expectNumeric()
{
$this->scrubbed = preg_replace(’#^[0-9]#’,”,$this->input);
return $this->scrubbed;
}
function expectAlpha()
{
$this->scrubbed = preg_replace(’#^[a-z]#i’,”,$this->input);
return $this->scrubbed;
}
function expectAlphaNum()
{
$this->scrubbed = preg_replace(’#^[a-z0-9]#i’,”,$this->input);
return $this->scrubbed;
}
function expectPhoneNumber()
{
$this->scrubbed = preg_replace(’#^[0-9\(\)\-]#’,”,$this->input);
return $this->scrubbed;
}
function expectZipCode()
{
if(strlen($this->input) > 5)
{
return(’BAD ZIPCODE’);
}
else
{
$this->scrubbed = preg_replace(’#^[0-9]#’,”,$this->input);
return $this->scrubbed;
}
}
}

?>

Sorry for the lack of syntax highlighting, I haven’t gotten that plugin for wordpress. Feel free to copy the code.