WebApp Sec mailing list archives
Re: PHP variable sanitization functions
From: Liam Quinn <liam () htmlhelp com>
Date: Sun, 24 Aug 2003 21:36:17 -0400 (EDT)
On Sun, 24 Aug 2003, Gavin Zuchlinski wrote:
I wrote a couple of sanitization routines that are better suited for certain situations (arguments to system(), variables in SQL, paranoid, etc...) for everyone to use. Everything is based off of some simple regular expressions so it should be pretty portable to other languages. Now please help me make these functions a little bit better and more versatile :-). Let me know all the ways to break this to still do nasty things that these routines are meant to stop, and also if sanitization breaks anything. Finally.... http://libox.net/sanitize.php
Your sanitize_sql_string function allows backslash. See <http://www.securityfocus.com/archive/107/311374/2003-02-07/2003-02-13/0> from the list archives for why this is a problem. Your sanitize_system_string function allows the string to contain newlines and quotation marks. An attacker could close the argument with a quotation mark, add a newline, and then run an arbitrary command. You're also missing some other shell metacharacters. Here's the list of shell metacharacters given in the WWW Security FAQ [*]: &;`'\"|*?~<>^()[]{}$\n\r [*] http://www.w3.org/Security/faq/wwwsf4.html#CGI-Q7 -- Liam Quinn
Current thread:
- PHP variable sanitization functions Gavin Zuchlinski (Aug 24)
- Re: PHP variable sanitization functions Liam Quinn (Aug 24)
- Re: PHP variable sanitization functions Jamie Pratt (Aug 25)
- Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 25)
- <Possible follow-ups>
- Re: PHP variable sanitization functions Ulf Harnhammar (Aug 26)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 26)
- Re: PHP variable sanitization functions Cameron Green (Aug 26)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 27)
- Re: PHP variable sanitization functions Cameron Green (Aug 27)
- Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 28)
- Re: PHP variable sanitization functions Jean-Jacques Halans (Aug 29)
- Looking for coder.htm / ASCII encoder n30 (Aug 29)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 26)
- Re: PHP variable sanitization functions Liam Quinn (Aug 24)