On Thu, 10 Oct 2002 23:41:34 -0000, Astalavista Baby <info_at_astalavista.com> said:
> like to see more and better ways ?!
>
> My idea: ( I think this is not safe enough?)
>
> function make_clean($value){
> $value = htmlspecialchars($value)
> $value = str_replace("%2B", "", $value);
> .... more ..
> return $value;
> }
Wrong.
You're filtering "known illegal" out, rather than refusing to pass only
probably legal characters through. You can enumerate %2B, ... more ...
and you're still totally screwed to the wall if you missed one (and remember
that all the Unicode exploits are basically "missed one"). Worse yet,
you're screwed to the wall if you have a complete list, but at a later date
somebody finds a new and creative way to use a character (did you know that
some Unix shells treat the ^ caret as equivalent to | pipe? ;)
I don't do PHP, but the pseudocode *should* be:
function make_clean($value) {
legalchars = "[a-z][A-Z][0-9] "; // allow letters number space only
for each char in $value
if char not in legalchars
then char=' '; // bogus char? Make it a blank
end for;
}
Somebody finds a way to use doublequote to inject bad data? Somebody finds
a way to use asterisks or %2B? No problem - they weren't in my legalchars
list to start with.
Remember - don't filter known bad chars. Filter *everything* *but* known good.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
- application/pgp-signature attachment: stored
Received on Oct 11 2002
Intro
