WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP variable sanitization functions

From: "Ulf Harnhammar" <metaur () operamail com>
Date: Tue, 26 Aug 2003 12:23:39 +0100
Hello, putting together those functions was a nice initiative!

Some more things to change:

* You should also check for the length of strings. Being able to send in thousands of characters from an allowed set of 
characters could lead to buffer overflows, if a web application passes data over to C/C++ programs. It's best to 
disallow too long strings.

* In some situations, numeric values must be (a) numeric (eh) and (b) in a certain range, to avoid huge iframes (makes 
my machine completely overloaded, when using Galeon or Mozilla) or problems with widths that are zero or negative.

Something like this (warning! untested code!) might be useful:

function sane_integer($val, $min, $max)
{
  if (!preg_match('/^-?[0-9]+$/', $val))
    return false;

  if (($val < $min) or ($val > $max))
    return false;

  return true;
}

// Ulf Harnhammar
   kses - PHP HTML/XHTML filter
   http://sourceforge.net/projects/kses

-- 
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year


Powered by Outblaze
Previous By Date Next
Previous By Thread Next

Current thread: