--- Phillip Jackson <[EMAIL PROTECTED]> wrote: > > Personally, I think this is a bad approach, regardless of how > > well it is implemented. I think you will give yourself a false > > sense of security. > > what, then, do you yourself do in such an application requiring a > response from the user to massage the data? reject all input that > doesn't conform to your whitelist?
Yes, that's it. I know this may sound like a huge hassle compared to a nice one-size-fits-all data filtering function, but I personally would never rely on myself to be able to predict all of the different types of attacks that people will come up with. There are many people who have as much creativity as malice, and they are sure to come up with ways to exploit holes in any blacklist approach I take. So, when the user is submitting a name, for example, my approach would be something like this: Good Stuff: Alphabetic characters, hyphens, apostrophes, and spaces. Bad Stuff: Everything else The first time I used this code, I would probably log all of the bad stuff, so that if I accidentally missed a valid character, I would add it to my list of allowed characters. Over time, I would get it right, and I would feel pretty confident that no bad guy could use a combination of these characters to launch any sort of attack on my application. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
