WebApp Sec mailing list archives
PHP for preventing SQL injections?
From: "Ulf Harnhammar" <metaur () operamail com>
Date: Wed, 17 Sep 2003 09:15:54 +0100
i.e. /[a-zA-Z0-9\.\_\-\/:\;\,\!\"\$\%\&\(\)\{\}\?\@\^\#\\\+\*\~\>\<\|\s\t]+/ should be enough ... perhaps i've missed some also needed chars.
Well, this regex isn't grounded either to the beginning or the end, so it's possible to get bad things past it. It also doesn't check the length of data, which I feel is a good thing, to avoid buffer overflows. A better regex would be: ^[-_.:;.!A-Za-z0-9\s]{1,100}$ The set of allowed characters will vary depending on the circumstances, what country the users are in and so on. // Ulf Harnhammar kses - PHP HTML/XHTML filter http://sourceforge.net/projects/kses -- ___________________________________________________ OperaMail free e-mail - http://www.operamail.com OperaMail Premium - 28MB, POP3, more! US$29.99/year Powered by Outblaze
Current thread:
- PHP for preventing SQL injections? Ulf Harnhammar (Sep 17)
- <Possible follow-ups>
- Re: PHP for preventing SQL injections? b0iler _ (Sep 21)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 22)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? David Cameron (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 22)
- Re: PHP for preventing SQL injections? Ulf Harnhammar (Sep 23)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 23)