How To: White List Function

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

How To: White List Function

Post by Benjamin »

Hello,

I have been searching google and these forums for information on how to create a white list and I haven't been able to find anything. Basically what I want to do is fill an array with allowed characters and then compare that to a string. If the string contains a character that is not in the array then the function will return false, thus invalidating the data. I'm really not sure what the best way to do this would be.

A good example of that I want to do is create a whitelist of the numbers 0 through 9. I want to give it a string like 993939d and have it return false. Any help would be appreciated.

Thank you.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

The best way would probably be regex, but another way is:

Code: Select all

<?php
function checkString($inputString) {
  $whiteList = array('0','1','2','3','4','5','6','7','8','9');
  $length = strlen($inputString);
  for($i = 0; $i < $length; $i++) {
    if(!in_array($inputString{$i},$whiteList)){
      return false;
    }
  }
  return true;
}

checkString("78387"); //true
checkString("999a36"); //false
checkString(43489); //false (checking Strings, not INTs)
?>
I believe there are some string functions that would make this faster.. but oh well.

Anywho, I'd just learn regex if I were you, this is pretty much what it's meant for ;)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Thank you for your help. I contemplated using regex but it seems a bit overwhelming and I didn't want to spend time learning it if it wasn't the best way to accomplish my goal. Always more to do but the function you wrote will work very well for me.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

ctype_digit()

Its easy, simple and fast. It even returns false if a string contains anything but numerical characters. ;)

Honestly before you mash through regex's the ctype functions offer a bit of basic functionality to detect - alphanumeric, alphabetic, numeric, printable-characters, hexadecimals, etc.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Maugrim is correct. Using those are very easy, which decreases the chances of us making mistakes..

Code: Select all

<?php
if ( ctype_alpha ($string) ) {
   // yoohoo i'm alphabetic
}
if ( ctype_alnum ($string) ) {
   // yes I'm letters and or numbers
}
if ( ctype_print ($string) ) {
  // i'm all printable!
}
// etc 
?>
And although I do not have a lot of experience, I do know that everything that prevents me from making silly mistakes is a good thing :)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Great that is perfect!
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

Oi.. If I had known that you'd always want alpha, numeric, or both, I would have suggested ctype functions as well.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

d3ad1ysp0rk wrote:Oi.. If I had known that you'd always want alpha, numeric, or both, I would have suggested ctype functions as well.
I needed your help too. I am using the function you recommended to validate alphanumeric strings as well.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

agtlewis wrote:
d3ad1ysp0rk wrote:Oi.. If I had known that you'd always want alpha, numeric, or both, I would have suggested ctype functions as well.
I needed your help too. I am using the function you recommended to validate alphanumeric strings as well.
Unfortunately ctype is better for that too: http://us2.php.net/manual/en/function.ctype-alnum.php

Haha, the only thing mine has going for it is specifying only certain characters.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

the only thing mine has going for it is specifying only certain characters
Yes, the ctype function can sometimes be a bit too restrictive. For example, if you let someone pick a username or password, maybe you would like to be able to let them use some characters like dots, underscores etc as well.

Code: Select all

<?php 
$pattern = '/^[-A-Z0-9\.\'"_ ]*$/i';
if ( preg_match($pattern, $testme) ) {
  // yea i'm allowed
}
?>
btw, d11wtq wrote some excellent tutorials in the regex section about this
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Ideally you should the ctype functions for the most basic checks. Regular Expressions can then be used for exceptions to these standard types - for example usernames where space/hyphen/underscore are also valid would need a regex since its an exception to what's covered by the ctype functions.

Email is another one - it's advised to use a liberal email regex (people can have weird email addresses not covered by many of the commonly recommended regular expressions).
Post Reply