Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: RoMaNSoFt <r0man () phreaker net>
Date: Sat, 12 Oct 2002 22:27:22 +0200
On Sat, 12 Oct 2002 10:04:10 -0400, you wrote:
Remember - don't filter known bad chars. Filter *everything* *but* known good.Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP. Anyone take a stab at it yet?
Hi vuln-devels, These are the functions I've coded for the described purpose (comments are in Spanish but the code is self-explanatory): /* Filtra todos los caracteres excepto los alfanuméricos */ function filtro_alfanumerico(&$var) { $sinfiltrar = $var; $var = preg_replace("/[^A-Za-z0-9]/", "", $var); if ($sinfiltrar == $var) { return 0; // Devuelve FALSE si no se filtró nada } else { return 1; // Devuelve TRUE si se filtraron caracteres } } /* Filtra todos los caracteres excepto los numéricos */ function filtro_numerico(&$var) { $sinfiltrar = $var; $var = preg_replace("/[^0-9]/", "", $var); if ($sinfiltrar == $var) { return 0; // Devuelve FALSE si no se filtró nada } else { return 1; // Devuelve TRUE si se filtraron caracteres } } Then, from main program you only have to use something like: filtro_numerico($id); (this will strip all chars except numbers; to be used for typical variables intended to content only numbers) You can also check for hacking attempts or things like that: if (filtro_numerico($id)) { echo "Hacking attempt detected. The id value never should be a non-numeric value. I've removed the offending chars."; } In a similar way you can use "filtro_alfanumerico", to perform non-alphanumeric stripping. Salu2, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
Current thread:
- Re: Hashes,File protection,etc, (continued)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 16)
- Re: Hashes,File protection,etc Bob Mathews (Oct 16)
- Re: Hashes,File protection,etc Jose Nazario (Oct 15)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
- RE: Hashes,File protection,etc Rich Cower (Oct 15)
- Re: Hashes,File protection,etc Eric Fritzges (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Chris Field (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP RoMaNSoFt (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rohan Amin (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP Astalavista.NET Baby! (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 16)
- HTML email and external embedded links. Ian Lyte (Oct 18)
- Re: HTML email and external embedded links. Wim Mees (Oct 23)