On Thu, 10 Oct 2002 23:41:34 -0000, Astalavista Baby <infoat_private> said: > like to see more and better ways ?! > > My idea: ( I think this is not safe enough?) > > function make_clean($value){ > $value = htmlspecialchars($value) > $value = str_replace("%2B", "", $value); > .... more .. > return $value; > } Wrong. You're filtering "known illegal" out, rather than refusing to pass only probably legal characters through. You can enumerate %2B, ... more ... and you're still totally screwed to the wall if you missed one (and remember that all the Unicode exploits are basically "missed one"). Worse yet, you're screwed to the wall if you have a complete list, but at a later date somebody finds a new and creative way to use a character (did you know that some Unix shells treat the ^ caret as equivalent to | pipe? ;) I don't do PHP, but the pseudocode *should* be: function make_clean($value) { legalchars = "[a-z][A-Z][0-9] "; // allow letters number space only for each char in $value if char not in legalchars then char=' '; // bogus char? Make it a blank end for; } Somebody finds a way to use doublequote to inject bad data? Somebody finds a way to use asterisks or %2B? No problem - they weren't in my legalchars list to start with. Remember - don't filter known bad chars. Filter *everything* *but* known good. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 20:52:32 PDT