[raydawg]

http://www.hotscripts.com/forums/lou...ly-simple.html

ok i found this data santizing script by EndUser but i can for the life of me figure out how to send PM's on this forum....so anyways!!

when i try to use it do something simple like this

Code:

echo sanitize(4,0,"testing");

and this is my result

Code:

tes;tin;g

im not sure what the problem is. the 4 should allow all alpha characters, 0 for no length requirements. is there an updated version of this script floating around, mabye the one i grabbed is bugged?

thanks
-Ray

[wirehopper]

I ran it, both on the command line and through a browser, and it displayed "testing" - correctly.

Might be a character encoding issue?

Also - check your version of the sanitize code for line breaks that shouldn't be there.

[raydawg]

thank you for your response. after digging around in the code i found this exact line is the one thats causing the issues

Code:

// URL Decode
// Just in case stuff like this is submitted:
// <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
// Note: Normally urldecode() would be easier but it removes plus signs
    $data = preg_replace("/([a-z0-9]{3})/i", "&#x\\1;", $data);

if i comment out that line everything works fine.

there is a line right before that almost identical that does this

Code:

$data = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $data);

and that works, its just that first one that screws everything up. and honestly im not familiar enough with what he is trying to accomplish to really debug that. any ideas?

[wirehopper]

PHP Code:

preg_replace("/([a-z0-9]{3})/i", "&#x\\1;", $data); 

Would replace all sequences of 3 or more lowercase letters and numbers with &#x(sequence);

For example:

testing would become tes;tin;g

If you put the % in, then only those strings that begin with % will match and function as the comment describes.

This is the code I have:


// URL Decode
// Just in case stuff like this is submitted:
// <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google </a>
// Note: Normally urldecode() would be easier but it removes plus signs
$data = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $data);
$data = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $data);


As I posted this, I can see what happened. The php, code, and quote tags stripped out the %u0 - probably as part of their sanitize processing.

[phpdoctor]

Lol i had this problem too.
Thanks wirehooper for the fix

[raydawg]

awesome thanks it works

[End User]

Quote:

Originally Posted by wirehopper

As I posted this, I can see what happened. The php, code, and quote tags stripped out the %u0 - probably as part of their sanitize processing.

Yep- posting it to the board apparently mangled it a little bit. I didn't notice that when I posted the code. That puzzled me for a bit, since I use the script extensively and have never seen the problem mentioned in this thread.

Note: I can't take full credit for the script- some of it was borrowed from a Code Ignitor module, some of it I added, expanded, or refined myself. In any case, I hope it works for you.

[wirehopper]

I think the issue is related to the new skin on the forum, because I copied the code from the forum a few months ago.

[End User]

In my opinion, sanitizing input data is the single most important thing you can do when writing a web app these days. The hackers have gotten extremely aggressive, very crafty, and they let bots do most of their dirty work so they run 24/7, searching for forms to exploit.

If you don't sanitize your input data, you WILL be hacked. It's no longer a question of "if", it's a question of "when". The bots neither know nor care whether your site is big or small, busy or not, or what it does. It doesn't matter to them. All they want is to compromise your site so they can use your server as a platform for spamming, storing warez/kiddie porn, and/or using it as a source to infect visitor's browsers.

[End User]

Quote:

Originally Posted by wirehopper

I think the issue is related to the new skin on the forum, because I copied the code from the forum a few months ago.

Ahh, well, that could be why I didn't notice it, lol.