I think a regular expression should do the trick:
function make_clean($value) {
$legal_chars = "%[^0-9a-zA-Z ]%"; //allow letters, numbers & space
$new_value = preg_replace($legal_chars,"",$value); //replace with ""
return $new_value;
}
On Sat, 2002-10-12 at 10:04, Rob Shein wrote:
>
> Valdis wrote:
>
> > You're filtering "known illegal" out, rather than refusing to
> > pass only probably legal characters through. You can
> > enumerate %2B, ... more ... and you're still totally screwed
> > to the wall if you missed one (and remember that all the
> > Unicode exploits are basically "missed one"). Worse yet,
> > you're screwed to the wall if you have a complete list, but
> > at a later date somebody finds a new and creative way to use
> > a character (did you know that some Unix shells treat the ^
> > caret as equivalent to | pipe? ;)
> >
> > I don't do PHP, but the pseudocode *should* be:
> >
> > function make_clean($value) {
> > legalchars = "[a-z][A-Z][0-9] "; // allow letters number
> > space only
> > for each char in $value
> > if char not in legalchars
> > then char=' '; // bogus char? Make it a blank
> > end for;
> > }
> >
> > Somebody finds a way to use doublequote to inject bad data?
> > Somebody finds a way to use asterisks or %2B? No problem -
> > they weren't in my legalchars list to start with.
> >
> > Remember - don't filter known bad chars. Filter *everything*
> > *but* known good.
> > --
>
> Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone
> take a stab at it yet?
>
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 18:48:00 PDT