WebApp Sec mailing list archives
Re: PHP variable sanitization functions
From: "Ulf Harnhammar" <metaur () operamail com>
Date: Tue, 26 Aug 2003 12:23:39 +0100
Hello, putting together those functions was a nice initiative! Some more things to change: * You should also check for the length of strings. Being able to send in thousands of characters from an allowed set of characters could lead to buffer overflows, if a web application passes data over to C/C++ programs. It's best to disallow too long strings. * In some situations, numeric values must be (a) numeric (eh) and (b) in a certain range, to avoid huge iframes (makes my machine completely overloaded, when using Galeon or Mozilla) or problems with widths that are zero or negative. Something like this (warning! untested code!) might be useful: function sane_integer($val, $min, $max) { if (!preg_match('/^-?[0-9]+$/', $val)) return false; if (($val < $min) or ($val > $max)) return false; return true; } // Ulf Harnhammar kses - PHP HTML/XHTML filter http://sourceforge.net/projects/kses -- ____________________________________________ http://www.operamail.com Get OperaMail Premium today - USD 29.99/year Powered by Outblaze
Current thread:
- PHP variable sanitization functions Gavin Zuchlinski (Aug 24)
- Re: PHP variable sanitization functions Liam Quinn (Aug 24)
- Re: PHP variable sanitization functions Jamie Pratt (Aug 25)
- Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 25)
- <Possible follow-ups>
- Re: PHP variable sanitization functions Ulf Harnhammar (Aug 26)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 26)
- Re: PHP variable sanitization functions Cameron Green (Aug 26)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 27)
- Re: PHP variable sanitization functions Cameron Green (Aug 27)
- Re: PHP variable sanitization functions Gavin Zuchlinski (Aug 28)
- Re: PHP variable sanitization functions Jean-Jacques Halans (Aug 29)
- Looking for coder.htm / ASCII encoder n30 (Aug 29)
- Re: PHP variable sanitization functions Jan Pieter Kunst (Aug 26)
- Re: PHP variable sanitization functions Liam Quinn (Aug 24)
- Re: PHP variable sanitization functions Tim Tompkins (Aug 29)