I was wondering if there were any known holes in any of the following functions:
ctype_alnum()
ctype_alpha()
is_numeric()
I'm talking security holes in the sense that I am taking form data and using these functions to make sure that no malicious input was used, only characters which I expect. Potentially, can someone submit hex codes or some other encoding and get through these filters and have their malicious input injected into mysql or the page?
Thanks,
Shawn
security holes in a few php functions
Moderator: General Moderators
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: security holes in a few php functions
Depends on what you do with the data after you check it's validity with these functions. But if you are asking if these functions return false positives, then the answer is no.
Re: security holes in a few php functions
You must always properly escape what you put in a SQL query.
Do not rely on ANY validation functions. Validation is part of the business logic, the DB layer should escape.
These three may pass data that one would not normally (i.e. without having read the manual carefully) expect them to. The first two are locale dependent, they may return WHATEVER as valid. The third will return validate things like 0xABCD, 1e36, 40.123, 0987 which may or may not be "numeric" according to the database layer.
In short, use this for validation (optional). Do not use them instead of escaping.
[quote=superdezign]But if you are asking if these functions return false positives, then the answer is no.[/quote]
While technically this is true (yes, the functions work as defined), the results are not consistent with what many programmers expect, and most importantly the results are not consistent with what the database expects!
Do not rely on ANY validation functions. Validation is part of the business logic, the DB layer should escape.
These three may pass data that one would not normally (i.e. without having read the manual carefully) expect them to. The first two are locale dependent, they may return WHATEVER as valid. The third will return validate things like 0xABCD, 1e36, 40.123, 0987 which may or may not be "numeric" according to the database layer.
In short, use this for validation (optional). Do not use them instead of escaping.
[quote=superdezign]But if you are asking if these functions return false positives, then the answer is no.[/quote]
While technically this is true (yes, the functions work as defined), the results are not consistent with what many programmers expect, and most importantly the results are not consistent with what the database expects!
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: security holes in a few php functions
thanks, I was really asking about false positives but as usual Mordred's input is useful.