On Sat, 12 Oct 2002 10:04:10 -0400, you wrote: >> Remember - don't filter known bad chars. Filter *everything* >> *but* known good. > >Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone >take a stab at it yet? Hi vuln-devels, These are the functions I've coded for the described purpose (comments are in Spanish but the code is self-explanatory): /* Filtra todos los caracteres excepto los alfanuméricos */ function filtro_alfanumerico(&$var) { $sinfiltrar = $var; $var = preg_replace("/[^A-Za-z0-9]/", "", $var); if ($sinfiltrar == $var) { return 0; // Devuelve FALSE si no se filtró nada } else { return 1; // Devuelve TRUE si se filtraron caracteres } } /* Filtra todos los caracteres excepto los numéricos */ function filtro_numerico(&$var) { $sinfiltrar = $var; $var = preg_replace("/[^0-9]/", "", $var); if ($sinfiltrar == $var) { return 0; // Devuelve FALSE si no se filtró nada } else { return 1; // Devuelve TRUE si se filtraron caracteres } } Then, from main program you only have to use something like: filtro_numerico($id); (this will strip all chars except numbers; to be used for typical variables intended to content only numbers) You can also check for hacking attempts or things like that: if (filtro_numerico($id)) { echo "Hacking attempt detected. The id value never should be a non-numeric value. I've removed the offending chars."; } In a similar way you can use "filtro_alfanumerico", to perform non-alphanumeric stripping. Salu2, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 18:47:25 PDT