Re: [asterisk-users] PHP can't insert - Can someone please help

Sat, 10 Jul 2010 19:52:47 -0700 

On Sat, 10 Jul 2010, bruce bruce wrote:


Here is the steel strong sanitizer:
$npaa = "$_POST[anpa]";
$nxxa = "$_POST[anxx]";
$blocka = "$_POST[ablock]";

# Sanitize
$blocka_san = strspn("$blocka", "0123456789");
if ($blocka_san==4 && is_numeric($npaa) && is_numeric($nxxa) && is_numeric($blocka) && $npaa>=200 && $nxxa>=200 && $npaa!=900 && $npaa!=911)  
              {
  echo "Number passed sanitization";
              }

What do you think? :-)


Yuk.
On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce <[email protected]> wrote: 


Thanks again. Apparently all POST variables come through as strings.


You may want to read the relevant RFCs. Look for ENCTYPE.
The function you pointed out is I think already built in php as is_numeric().  

http://www.php.net/manual/en/function.is-numeric.php
You may want to read the function definition again. It allows plus, exponential notation and hexadecimal notation as well.
I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: '201,0); drop database YOUR_DATABASE'; would fail due to big length and also I tested with inputing letters and my IF function caught it and exited.
Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right?
By using form POST there should be no other loop holes left opened right? It's not like php $_GET so people can't try typing to the browser in this format:
You may want to read the man pages for curl and wget -- both can submit POST requests. 

--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards       [email protected]      Voice: +1-760-468-3867 PST
Newline                                              Fax: +1-760-731-3000
-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to