On Thu, 10 Oct 2002 23:41:34 -0000, Astalavista Baby <infoastalavista.com> said:
> like to see more and better ways ?!
>
> My idea: ( I think this is not safe enough?)
>
> function make_clean($value){
> $value = htmlspecialchars($value)
> $value = str_replace("%2B", "", $value);
> .... more ..
> return $value;
> }

Wrong.

You're filtering "known illegal" out, rather than refusing to pass only
probably legal characters through. You can enumerate %2B, ... more ...
and you're still totally screwed to the wall if you missed one (and remember
that all the Unicode exploits are basically "missed one"). Worse yet,
you're screwed to the wall if you have a complete list, but at a later date
somebody finds a new and creative way to use a character (did you know that
some Unix shells treat the ^ caret as equivalent to | pipe? ;)

I don't do PHP, but the pseudocode *should* be:

function make_clean($value) {
    legalchars = "[a-z][A-Z][0-9] "; // allow letters number space only
    for each char in $value
       if char not in legalchars
       then char=' '; // bogus char? Make it a blank
    end for;
}

Somebody finds a way to use doublequote to inject bad data? Somebody finds
a way to use asterisks or %2B? No problem - they weren't in my legalchars
list to start with.

Remember - don't filter known bad chars. Filter *everything* *but* known good.

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001

iD8DBQE9pkCXcC3lWbTT17ARAmk0AKCHq0HGuC/iNrjVYQG/hvsdWkTgngCdFxqX mOOP4F2TWtKUugNxYnrCJd4= =xmK5 -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]