While the proposed solution below may very well indeed work for this
situation it's a far better practice to strip the variable down to "known
to be good" values rather than "known to be bad" ones.  Rather than strip
$ and , marks from the variable it's far better to strip out anything
other than 0-9 and the '.' character.

In this given situation it may or may not have any advantage -- just a
different paradigm; and one that often improves application security.
Rather than think of what's disallowed think only of what is allowed.  A
"recent" example of this would be to follow the BugTraq postings on the
Unicode directory transversal exploits of MS IIS toward the latter end of
2000.  The patch was released to prevent certain attacks from coming
through but it proved to be patch developed by somebody with rather
elementary security skills.  They preventyed only -known- attacks from
working; workarounds surfaced within a day, if not hours.  Eventually they
put a competent coder on the job and things were fixed.

But, like I said, this probably isn't a security issue here -- just one of
robustness.  The two are rather similar in practice though.  As I said
before, the original poster's idea may very well work 100% of the time,
but I thought I'd take the opportunity to point out the difference.  I
posted a private reply to the orignal author that went something like
this:

Strip out anything except 0-9 characters (after formatting), add them,
divide by 100 and reformat.  I don't imagine any locale settings that
would cause this to error.

I don't mean to nit-pick at anybody here, that's my last objective.  Just
something to think about when coding.  Admittedly I've done the exact
opposite approach (stripping known bad vs. allowing known good) many times
and have been burned because of it.

Justin Buist
Trident Technology, Inc.
4700 60th St. SW, Suite 102
Grand Rapids, MI  49512
Ph. 616.554.2700
Fx. 616.554.3331
Mo. 616.291.2612

On Fri, 14 Sep 2001, David Balatero wrote:

> I suppose you could just remove the $ and/or the comma with a regexp...
> www.php.net/eregi_replace


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to