SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)

    Good enough filter for incoming vars?

    Hi,

    I am handling some address inputs from an online form.
    PHP Code:
    $good ="as ds1234_dfa -sdf";
    $bad ="123 asd&fasdf _ -_%" ;

    $allowed= array(' ''-''_' ); // some none word chars I do allow

    $tmp str_replace($allowed'',  $good); // clear out the ones I allow

    preg_match_all"#\W#" $tmp$matches  ) ; // catch the rest

    if( !empty( $matches[0] ) ){
    echo 
    'BAD' 
    // send away

    }

    // else continue processing elements 
    This seems a bit simplistic but it seems to work, is it a good enough filter?

    I only want alpha-numeric characters, spaces and _ and - to be allowed through, everything else I send users away ( they are picking from drop-lists on all but one input field )

    What do you think? Can it be improved?

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    compress it all down to a single preg_match
    PHP Code:
    if ( preg_match'/[^-\w ]/'$input ) ) {
        
    // Bad!

    Also for select boxes validate those as well since you know what they contain make sure what you get is what you put into those drop-downs.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Evangelist
    Join Date
    Aug 2005
    Location
    Winnipeg
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's follows the principle of least privilege, so I would say YES it serves fine as a filter. For additional security you can maybe try validating the input data after the filter has been applied, then of course escaping before serialization.

    1. Filter
    2. Validate
    3. Escape
    The only constant in software is change itself

  4. #4
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You may want to make sure what remains is useful.
    For all you know the string could be '--- __ ---'

  5. #5
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Nice comments, cheers everyone.

    @logic_earth, hmphhh - I just knew it could be smaller ... just couldnt get any clarity on this one, really - thanks a lot.

    I am sticking all the drop-downs (things like time and dates generated by me) and form elements into the same $tmp variable for the sake of expediency on this one. Then just running one check over the lot.

    For once I am not manipulating, or storing this data, just adding some value and shovelling it on to another site.

    If they have tampered with the data, I just want a boolean error asap and will send them to a default entry page on the other site. I am not interested in cleaning up their errors, there's only one input box and if they cant get their zip code right, screw em.

    @PCSpectra, yep, its just a filter - thanks all the same

    @crmalibu - if they stick crap in it, then they wont find their next bus or train home, so I don't care, as long as they cant hurt me on the way thru my site.

    Thanks again all.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •