/**
* @desc Takes a string and removes illegal characters
* @param dirtyString string
* @return string
*/
function makeClean($dirtyString)
{
$cleanString='';//holds string to return
$stringLength=strlen($dirtyString);//holds length of the string
for($counter=0;$counter<$stringLength;$counter++)
{
if( ($dirtyString[$counter]>='a' && $dirtyString[$counter]<='z') ||
($dirtyString[$counter]>='A' && $dirtyString[$counter]<='Z') ||
(is_numeric($dirtyString[$counter])))
{
$cleanString.=$dirtyString[$counter];
}
else
{
$cleanString.=' ';
}
}
return $cleanString;
}
On Sat, 2002-10-12 at 10:04, Rob Shein wrote:
>
> Valdis wrote:
>
> > You're filtering "known illegal" out, rather than refusing to
> > pass only probably legal characters through. You can
> > enumerate %2B, ... more ... and you're still totally screwed
> > to the wall if you missed one (and remember that all the
> > Unicode exploits are basically "missed one"). Worse yet,
> > you're screwed to the wall if you have a complete list, but
> > at a later date somebody finds a new and creative way to use
> > a character (did you know that some Unix shells treat the ^
> > caret as equivalent to | pipe? ;)
> >
> > I don't do PHP, but the pseudocode *should* be:
> >
> > function make_clean($value) {
> > legalchars = "[a-z][A-Z][0-9] "; // allow letters number
> > space only
> > for each char in $value
> > if char not in legalchars
> > then char=' '; // bogus char? Make it a blank
> > end for;
> > }
> >
> > Somebody finds a way to use doublequote to inject bad data?
> > Somebody finds a way to use asterisks or %2B? No problem -
> > they weren't in my legalchars list to start with.
> >
> > Remember - don't filter known bad chars. Filter *everything*
> > *but* known good.
> > --
>
> Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone
> take a stab at it yet?
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 18:45:40 PDT