[Tutor] cgi poison detection kit
Erik Price
erikprice@mac.com
Thu, 5 Sep 2002 11:17:10 -0400
On Wednesday, September 4, 2002, at 11:34 PM, Kirk Bailey wrote:
> But what is evil data?
>
I think that the concept of evil data really depends on the context.
For instance, in a home banking web application, the dollar sign might
be used -- do you really want to be sending error messages to users who
innocently prepended their input with a dollar sign?
It might be hard to write a "universal function" for this "sniffing"
task. But you could probably come up with some good general-purpose
functions and put them in a module. Some functions could be
moneyOnly() # only allows digits, currency symbols, and an
# appropriately-placed dot (use regular expressions
# for this). Perhaps optional commas too.
datesOnly() # only allows dates, in various formats such as
# YYYY-MM-DD; MM/DD/YYYY; YYMMDD;
# MM/DD/YY; Mon DD, YYYY etc
# you could really get fancy and provide logic to
# only accept dates within a range, specified by
# arguments
htmlentities() # There is a PHP function by this name that
# automatically turns any HTML code into the
# appropriate entity, which is good for discussion-
# forum scripts, so that users can't plant things like
# <img src="http://www.britneyspearsnaked.com/nude.jpg">
# into your guestbook applications. Even though you might
# appreciate such generosity.
Just some ideas.
Erik
--
Erik Price
email: erikprice@mac.com
jabber: erikprice@jabber.org