Yes, that's it.
I know this may sound like a huge hassle compared to a nice one-size-fits-all data filtering function, but I personally would never rely on myself to be able to predict all of the different types of attacks that people will come up with. There are many people who have as much creativity as malice, and they are sure to come up with ways to exploit holes in any blacklist approach I take.
So, when the user is submitting a name, for example, my approach would be something like this:
Good Stuff: Alphabetic characters, hyphens, apostrophes, and spaces. Bad Stuff: Everything else
The first time I used this code, I would probably log all of the bad stuff, so that if I accidentally missed a valid character, I would add it to my list of allowed characters. Over time, I would get it right, and I would feel pretty confident that no bad guy could use a combination of these characters to launch any sort of attack on my application.
My personal opinion is not that strict. When you have a well defined way to keep your scripts secure from malicious input, you are safe. The well defined way is to escape and quote any string that is used in sql queries, and htmlspecialchars to output untrused input.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
