UTF8
Decodes utf-8 encoding which is used to bypass filters. (OWASP A1)
Boolean Check Function
If all we want to do is test a string instead of changing it and return a boolean, we use the check() function. check() has the same syntax as sanitize.
PHP: <?php
include('sanitize.inc.php');
$Test = "' OR ''"; //SQL injection attempt
$Flags = SQL //SQL sanitization flag
if(check($Test, SQL)){ //Is $Test sanitized?
echo 'yes';} //Yeah it is
else echo 'no'; //No it isn't
?>
The if statement receives a boolean value from the check() function, if $Test is sanitized or not. $Test is not sanitized, and will echo “no”.
Combining Filters
In the source of the OWASP file, is the following set of lines:
PHP:
define("PARANOID", 1);
define("SQL", 2);
define("SYSTEM", 4);
define("HTML", 8);
define("INT", 16);
define("FLOAT", 32);
define("LDAP", 64);
define("UTF8", 128);
If you were to replace PARANOID with 1 in the sanitize function, you would get the same results. To combine filters, we can add them together.
PHP: <?php
include('sanitize.inc.php');
$Test = "<script>' or ''</script>";//XSS and injection attack
$Flags = HTML + SQL; //Add 2 filters to sanitization
//PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP, UTF8
echo sanitize($Test, $Flags);
?>
This will return “<script>’ or ”</script>”, which will not be interpreted but will render as “<script>’ or ”</script> “. It is now “safe” to query a database with that variable, and also display it to the screen.
These filters take a large chunk of the sanization work out for you, but there is still the issue of string length. With PHP, the substr function will take care of that. These filters are hardly a end-all solution, but they provide a good drop-in solution that will be strengthened by other developers. Good luck and safe filtering!
This article originally appeared on AntiOnline.com.
