It really depends on what you use the user input for.

If you are just storing into a database and splashing it out to a html page
later, htmlspecialchars( ) is adequete protection.

If this is a filename, then checks for the prefix "http://"; and '..'  and
quotes in the file name, and a base directory check is needed.

If you are running a command line program, then < > | ' " come to mind. This
is probably not complete. Read a few advisories. The Perl security stuff is
good as they are the most vulnerable :-)

Regards, John

"Kevin" <[EMAIL PROTECTED]> wrote in message
> I think my question could be restated to: What characters are potentially
> lethal in user input.  I can do the regex.  But don't know what to parse
> of the strings.
> would removing  \ /  .  do the trick?

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to