On Sat, 12 Oct 2002 10:04:10 -0400, you wrote:
>> Remember - don't filter known bad chars. Filter *everything*
>> *but* known good.
>
>Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone
>take a stab at it yet?
Hi vuln-devels,
These are the functions I've coded for the described purpose
(comments are in Spanish but the code is self-explanatory):
/* Filtra todos los caracteres excepto los alfanuméricos */
function filtro_alfanumerico(&$var) {
$sinfiltrar = $var;
$var = preg_replace("/[^A-Za-z0-9]/", "", $var);
if ($sinfiltrar == $var) {
return 0; // Devuelve FALSE si no se filtró nada
} else {
return 1; // Devuelve TRUE si se filtraron caracteres
}
}
/* Filtra todos los caracteres excepto los numéricos */
function filtro_numerico(&$var) {
$sinfiltrar = $var;
$var = preg_replace("/[^0-9]/", "", $var);
if ($sinfiltrar == $var) {
return 0; // Devuelve FALSE si no se filtró nada
} else {
return 1; // Devuelve TRUE si se filtraron caracteres
}
}
Then, from main program you only have to use something like:
filtro_numerico($id);
(this will strip all chars except numbers; to be used for typical
variables intended to content only numbers)
You can also check for hacking attempts or things like that:
if (filtro_numerico($id)) {
echo "Hacking attempt detected. The id value never should be a
non-numeric value. I've removed the offending chars.";
}
In a similar way you can use "filtro_alfanumerico", to perform
non-alphanumeric stripping.
Salu2,
--Roman
--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 18:47:25 PDT