I don't disagree with this method and in fact I would recommend everyone to
use it, because it is a great safety net. However there are always special
cases where certain special characters are required. For those people who
have an apostrophe in their last name will find this filter a bit crude. I
also see special cases where people are allowed to send e-mail/comments etc
etc and would require the use of an apostrophe or double quote. This filter
would not allow those characters to be passed. I'm sure there are other
characters I am forgetting that are used frequently, but if your application
requires the use of these special characters use html encoding for those
characters.

Cert's advisory has a nice list of those characters.

----- Original Message -----
From: <denebunixwave.org>
To: "Steve Sobol" <sjsobolJustThe.net>
Cc: <webappsecsecurityfocus.com>
Sent: Monday, March 11, 2002 4:43 PM
Subject: Re: CSS and PHP question

> On Mon, Mar 11, 2002 at 09:47:31AM -0500, Steve Sobol wrote:
> > Hello folks,
> >
> > Using PHP, if I have a text string I want to display, is it enough to
use
> > htmlentities() or htmlspecialchars()
> > to encode potentially dangerous characters, or do I need to take further
> > precautions?
> >
> > http://www.php.net/manual/en/function.htmlentities.php
> >
> > http://www.php.net/manual/en/function.htmlspecialchars.php
>
> No, use these instead:(i.e.)
>
> $input = $HTTP_POST_VARS['userinput'];
> preg_replace("[^a-zA-Z0-9]","",$input);
>
> This simple rule strips all non literal characters.
>
> Cheers,
> deneb.
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]