PHP 5.1 - Externals

20 years ago by Binam — view source — reply

unread

I know that my opinion probably means diddly but my %2 is free. ;)

If I am understanding all of this right, if the raw varible contains
some shell code like "\x90\x90\x90\xab\xa3\x54\x77" and I do something
like $var = filter(GET,'foo',FILTER_NUMBER); $var would contain
something like " 90 90 90 3 54 77". That still isn't valid, I filtered
it for a number because that's what I am expecting. Valid values would
be something like "12345" or "123.456".

There are some cases where a filter would be nice. Like for a textarea
where a user might insert some HTML, <script> tags, etc. You could strip
out the tags, and accept the rest.

But if I am expecting a field to contain a number I am going to be
looking for an int or a float. If I am expecting a phone number I would
look for something that has a max length, a min length, must contain
numbers, and only limited set of alpha characters (-,+,.,<SP>).

I want to know TRUE or FALSE does this varible contain what I am expect
it to. If FALSE I don't care what is there, as far as I'm concerned it
isn't valid. I probably can't trust it even if it is "filtered". I am
going to return some kind of error, and request that they reenter the
data.

Jess

-----Original Message-----
From: Rasmus Lerdorf [mailto:rasmus@lerdorf.com]
Sent: Tuesday, February 01, 2005 5:55 PM
To: Nick Loeve
Cc: internals@lists.php.net
Subject: Re: [PHP-DEV] PHP 5.1

Nick Loeve wrote:

Rasmus Lerdorf wrote:

I don't actually see it as a per-script thing. Obviously the ini
would be per-dir Apache configurable, but I see this as being
something set across the board on a dedicated server that defines
the security policy of that server.

Isn't that something you can use mod_security for? I don't know of the

availability of that module on a standard host, but on a dedicated
server you could install it.

No, because we don't actually want to lose the raw data. We need to
save the raw data internally in PHP and make it available via the filter
function. So if a strict default ini filter is enabled you would have
something like this:

GET /script.php?foo=<xss hack>123 Hello</xss hack>

echo $_GET['foo'];

Would output: 123 Hello

echo filter(GET,'foo',FILTER_RAW);

Would output: <xss hack>123 Hello</xss hack>

echo filter(GET,'foo',FILTER_NUMBER);

Would output: 123

The extra spaces are intentional. Stripped characters are replaced with
a single space. So if you had: abc<font size=10>def You would end up
with: abc def

-Rasmus

--
To unsubscribe,
visit: http://www.php.net/unsub.php