Valdis wrote:
> You're filtering "known illegal" out, rather than refusing to
> pass only probably legal characters through. You can
> enumerate %2B, ... more ... and you're still totally screwed
> to the wall if you missed one (and remember that all the
> Unicode exploits are basically "missed one"). Worse yet,
> you're screwed to the wall if you have a complete list, but
> at a later date somebody finds a new and creative way to use
> a character (did you know that some Unix shells treat the ^
> caret as equivalent to | pipe? ;)
>
> I don't do PHP, but the pseudocode *should* be:
>
> function make_clean($value) {
> legalchars = "[a-z][A-Z][0-9] "; // allow letters number
> space only
> for each char in $value
> if char not in legalchars
> then char=' '; // bogus char? Make it a blank
> end for;
> }
>
> Somebody finds a way to use doublequote to inject bad data?
> Somebody finds a way to use asterisks or %2B? No problem -
> they weren't in my legalchars list to start with.
>
> Remember - don't filter known bad chars. Filter *everything*
> *but* known good.
> --
Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone
take a stab at it yet?
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 10:52:34 PDT