homepage Welcome to WebmasterWorld Guest from 54.205.254.108
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
accepting only Safe Characters in formmail
astounded




msg:1301023
 6:24 pm on Mar 25, 2003 (gmt 0)

I am learning, and I put the snippet below into a formmail script so it would accept only safe characters. But when I test it, all other characters such as & * % also go through to the the text file it writes to, and to the email the formmail.php sends it to. What am I doing wrong on this thing?

$safe_vars = array("A-Z", "a-z", "0-9");
foreach ($_POST as $key => $value) {
$safe_vars[$key] = htmlspecialchars($value);
}

 

jatar_k




msg:1301024
 8:01 pm on Mar 25, 2003 (gmt 0)

The problem is that I don't think the snippet does anything that you think it does. Why not try explaining your methodology in words and we can see if we can't convert that to code.

astounded




msg:1301025
 9:27 pm on Mar 25, 2003 (gmt 0)

What I'm trying to do is restrict the characters which can be susubmitted by the form in order to limit potential hacking to the text file it writes to.

I was trying to accept only letters and numerals, and also the symbols for:

at @, dash-, and underscore _

Perhaps I am going about this entirely wrong.

jatar_k




msg:1301026
 9:32 pm on Mar 25, 2003 (gmt 0)

I think in your foreach you could have a regular expression that makes sure all chars in the var are in the allowed set.

I am not the regex guru here so maybe someone could offer one?

andreasfriedrich




msg:1301027
 9:40 pm on Mar 25, 2003 (gmt 0)

$save = preg_replace [php.net]("'[^a-zA-Z0-9]'", '', $unsave);

will delete all characters that are not simple letters and numbers.

However, whatīs save and what isnīt will depend on the context. When you output the input as HTML then htmlspecialchars [php.net] is all you really need to make sure that the output is save. When you pass the input to the shell you might want to use escapeshellcmd [php.net]. The method you suggested is rather brute force and eliminates more than really necessary in most cases.

Andreas

jatar_k




msg:1301028
 9:45 pm on Mar 25, 2003 (gmt 0)

Most of the time when I do data checking I use specific patterns/tests for specific fields. A phone number one way, an email another. Error checking always depends on what data you are receiving and what you plan on doing with it. Also on the possible vulnerabilities of any given action.

For example an upload field would need more rigorous checks to prevent malicious code being unserted onto your server.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved