#native_company# #native_desc#

PHP Filtering with OWASP Page 2

By Ryan McGeehan
on June 28, 2006


Decodes utf-8 encoding which is used to bypass filters. (OWASP A1)
Boolean Check Function
If all we want to do is test a string instead of changing it and return a boolean, we use the check() function. check() has the same syntax as sanitize.
PHP: <?php


    $Test = "' OR ''"; //SQL injection attempt
    $Flags = SQL //SQL sanitization flag

    if(check($Test, SQL)){ //Is $Test sanitized?
    echo 'yes';} //Yeah it is
    else echo 'no'; //No it isn't
The if statement receives a boolean value from the check() function, if $Test is sanitized or not. $Test is not sanitized, and will echo “no”.

Combining Filters

In the source of the OWASP file, is the following set of lines:
    define("PARANOID", 1);
    define("SQL", 2);
    define("SYSTEM", 4);
    define("HTML", 8);
    define("INT", 16);
    define("FLOAT", 32);
    define("LDAP", 64);
    define("UTF8", 128);
If you were to replace PARANOID with 1 in the sanitize function, you would get the same results. To combine filters, we can add them together.
    PHP: <?php


    $Test = "<script>' or ''</script>";//XSS and injection attack
    $Flags = HTML + SQL; //Add 2 filters to sanitization


    echo sanitize($Test, $Flags);

This will return “&ltscript>’ or ”</script>”, which will not be interpreted but will render as “<script>’ or ”</script> “. It is now “safe” to query a database with that variable, and also display it to the screen.
These filters take a large chunk of the sanization work out for you, but there is still the issue of string length. With PHP, the substr function will take care of that. These filters are hardly a end-all solution, but they provide a good drop-in solution that will be strengthened by other developers. Good luck and safe filtering!
This article originally appeared on AntiOnline.com.