On Sat, 12 Oct 2002 10:04:10 -0400, you wrote:

>> Remember - don't filter known bad chars. Filter *everything*
>> *but* known good.
>
>Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone
>take a stab at it yet?

 Hi vuln-devels,

 These are the functions I've coded for the described purpose
(comments are in Spanish but the code is self-explanatory):

  /* Filtra todos los caracteres excepto los alfanuméricos */
  function filtro_alfanumerico(&$var) {
    $sinfiltrar = $var;
    $var = preg_replace("/[^A-Za-z0-9]/", "", $var);
    if ($sinfiltrar == $var) {
      return 0; // Devuelve FALSE si no se filtró nada
    } else {
      return 1; // Devuelve TRUE si se filtraron caracteres
    }
  }

  /* Filtra todos los caracteres excepto los numéricos */
  function filtro_numerico(&$var) {
    $sinfiltrar = $var;
    $var = preg_replace("/[^0-9]/", "", $var);
    if ($sinfiltrar == $var) {
      return 0; // Devuelve FALSE si no se filtró nada
    } else {
      return 1; // Devuelve TRUE si se filtraron caracteres
    }
  }

 Then, from main program you only have to use something like:

filtro_numerico($id);

(this will strip all chars except numbers; to be used for typical
variables intended to content only numbers)

 You can also check for hacking attempts or things like that:

if (filtro_numerico($id)) {
  echo "Hacking attempt detected. The id value never should be a
non-numeric value. I've removed the offending chars.";
}

 In a similar way you can use "filtro_alfanumerico", to perform
non-alphanumeric stripping.

 Salu2,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]