Valdis wrote: > You're filtering "known illegal" out, rather than refusing to > pass only probably legal characters through. You can > enumerate %2B, ... more ... and you're still totally screwed > to the wall if you missed one (and remember that all the > Unicode exploits are basically "missed one"). Worse yet, > you're screwed to the wall if you have a complete list, but > at a later date somebody finds a new and creative way to use > a character (did you know that some Unix shells treat the ^ > caret as equivalent to | pipe? ;) > > I don't do PHP, but the pseudocode *should* be: > > function make_clean($value) { > legalchars = "[a-z][A-Z][0-9] "; // allow letters number > space only > for each char in $value > if char not in legalchars > then char=' '; // bogus char? Make it a blank > end for; > } > > Somebody finds a way to use doublequote to inject bad data? > Somebody finds a way to use asterisks or %2B? No problem - > they weren't in my legalchars list to start with. > > Remember - don't filter known bad chars. Filter *everything* > *but* known good. > -- Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone take a stab at it yet?
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 10:52:34 PDT