OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Field (chris_at_tux.dogoodsoft.org)
Date: Sat Oct 12 2002 - 09:32:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    /**
    * desc Takes a string and removes illegal characters
    * param dirtyString string
    * return string
    */
    function makeClean($dirtyString)
    {
            $cleanString='';//holds string to return
            $stringLength=strlen($dirtyString);//holds length of the string
            
            for($counter=0;$counter<$stringLength;$counter++)
            {
                    if( ($dirtyString[$counter]>='a' && $dirtyString[$counter]<='z') ||
                            ($dirtyString[$counter]>='A' && $dirtyString[$counter]<='Z') ||
                            (is_numeric($dirtyString[$counter])))
                    {
                            $cleanString.=$dirtyString[$counter];
                    }
                    else
                    {
                            $cleanString.=' ';
                    }
            }
            return $cleanString;
            
    }
    On Sat, 2002-10-12 at 10:04, Rob Shein wrote:
    >
    > Valdis wrote:
    >
    > > You're filtering "known illegal" out, rather than refusing to
    > > pass only probably legal characters through. You can
    > > enumerate %2B, ... more ... and you're still totally screwed
    > > to the wall if you missed one (and remember that all the
    > > Unicode exploits are basically "missed one"). Worse yet,
    > > you're screwed to the wall if you have a complete list, but
    > > at a later date somebody finds a new and creative way to use
    > > a character (did you know that some Unix shells treat the ^
    > > caret as equivalent to | pipe? ;)
    > >
    > > I don't do PHP, but the pseudocode *should* be:
    > >
    > > function make_clean($value) {
    > > legalchars = "[a-z][A-Z][0-9] "; // allow letters number
    > > space only
    > > for each char in $value
    > > if char not in legalchars
    > > then char=' '; // bogus char? Make it a blank
    > > end for;
    > > }
    > >
    > > Somebody finds a way to use doublequote to inject bad data?
    > > Somebody finds a way to use asterisks or %2B? No problem -
    > > they weren't in my legalchars list to start with.
    > >
    > > Remember - don't filter known bad chars. Filter *everything*
    > > *but* known good.
    > > --
    >
    > Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone
    > take a stab at it yet?