Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CROSS SITE-SCRIPTING Protection with PHP

From: RoMaNSoFt <r0man () phreaker net>
Date: Sat, 12 Oct 2002 22:27:22 +0200
On Sat, 12 Oct 2002 10:04:10 -0400, you wrote:


Remember - don't filter known bad chars.  Filter *everything* 
*but* known good.


Ok, I'm no PHP guru, but I'd sure like to see this coded in PHP.  Anyone
take a stab at it yet?


 Hi vuln-devels,

 These are the functions I've coded for the described purpose
(comments are in Spanish but the code is self-explanatory):

  /* Filtra todos los caracteres excepto los alfanuméricos */
  function filtro_alfanumerico(&$var) {
    $sinfiltrar = $var;
    $var = preg_replace("/[^A-Za-z0-9]/", "", $var);
    if ($sinfiltrar == $var) {
      return 0;  // Devuelve FALSE si no se filtró nada
    } else {
      return 1;  // Devuelve TRUE si se filtraron caracteres
    }
  }


  /* Filtra todos los caracteres excepto los numéricos */
  function filtro_numerico(&$var) {
    $sinfiltrar = $var;
    $var = preg_replace("/[^0-9]/", "", $var);
    if ($sinfiltrar == $var) {
      return 0;  // Devuelve FALSE si no se filtró nada
    } else {
      return 1;  // Devuelve TRUE si se filtraron caracteres
    }
  }


 Then, from main program you only have to use something like:

filtro_numerico($id);

(this will strip all chars except numbers; to be used for typical
variables intended to content only numbers)

 You can also check for hacking attempts or things like that:

if (filtro_numerico($id)) {
  echo "Hacking attempt detected. The id value never should be a
non-numeric value. I've removed the offending chars.";
}

 In a similar way you can use "filtro_alfanumerico", to perform
non-alphanumeric stripping.

 Salu2,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
Previous By Date Next
Previous By Thread Next

Current thread: