I think a regular expression should do the trick: function make_clean($value) { $legal_chars = "%[^0-9a-zA-Z ]%"; //allow letters, numbers & space $new_value = preg_replace($legal_chars,"",$value); //replace with "" return $new_value; } On Sat, 2002-10-12 at 10:04, Rob Shein wrote: > > Valdis wrote: > > > You're filtering "known illegal" out, rather than refusing to > > pass only probably legal characters through. You can > > enumerate %2B, ... more ... and you're still totally screwed > > to the wall if you missed one (and remember that all the > > Unicode exploits are basically "missed one"). Worse yet, > > you're screwed to the wall if you have a complete list, but > > at a later date somebody finds a new and creative way to use > > a character (did you know that some Unix shells treat the ^ > > caret as equivalent to | pipe? ;) > > > > I don't do PHP, but the pseudocode *should* be: > > > > function make_clean($value) { > > legalchars = "[a-z][A-Z][0-9] "; // allow letters number > > space only > > for each char in $value > > if char not in legalchars > > then char=' '; // bogus char? Make it a blank > > end for; > > } > > > > Somebody finds a way to use doublequote to inject bad data? > > Somebody finds a way to use asterisks or %2B? No problem - > > they weren't in my legalchars list to start with. > > > > Remember - don't filter known bad chars. Filter *everything* > > *but* known good. > > -- > > Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone > take a stab at it yet? >
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 18:48:00 PDT