|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: PHP variable sanitization functions
From: Ulf Harnhammar (metaur
operamail.com)
Date: Tue Aug 26 2003 - 06:23:39 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello, putting together those functions was a nice initiative!
Some more things to change:
* You should also check for the length of strings. Being able to send in thousands of characters from an allowed set of characters could lead to buffer overflows, if a web application passes data over to C/C++ programs. It's best to disallow too long strings.
* In some situations, numeric values must be (a) numeric (eh) and (b) in a certain range, to avoid huge iframes (makes my machine completely overloaded, when using Galeon or Mozilla) or problems with widths that are zero or negative.
Something like this (warning! untested code!) might be useful:
function sane_integer($val, $min, $max)
{
if (!preg_match('/^-?[0-9]+$/', $val))
return false;
if (($val < $min) or ($val > $max))
return false;
return true;
}
// Ulf Harnhammar
kses - PHP HTML/XHTML filter
http://sourceforge.net/projects/kses
--
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year
Powered by Outblaze
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]