Re: PHP variable sanitization functions

[Liam Quinn <liam () htmlhelp com>]

On Sun, 24 Aug 2003, Gavin Zuchlinski wrote:

> I wrote a couple of sanitization routines that are better suited for certain
> situations (arguments to system(), variables in SQL, paranoid, etc...) for
> everyone to use. Everything is based off of some simple regular expressions
> so it should be pretty portable to other languages.
> Now please help me make these functions a little bit better and more
> versatile :-).  Let me know all the ways to break this to still do nasty
> things that these routines are meant to stop, and also if sanitization
> breaks anything.
> Finally.... http://libox.net/sanitize.php

Your sanitize_sql_string function allows backslash.  See 
<http://www.securityfocus.com/archive/107/311374/2003-02-07/2003-02-13/0> 
from the list archives for why this is a problem.

Your sanitize_system_string function allows the string to contain 
newlines and quotation marks.  An attacker could close the argument with a 
quotation mark, add a newline, and then run an arbitrary command.

You're also missing some other shell metacharacters.  Here's the list of
shell metacharacters given in the WWW Security FAQ [*]:

&;`'\"|*?~<>^()[]{}$\n\r

[*] http://www.w3.org/Security/faq/wwwsf4.html#CGI-Q7

-- 
Liam Quinn