Checking my cleansing code...

[Callan S.]

I've put up a version of this cleansing method before - I know people don't think it's efficient. But today I'm asking if any of the characters I'm letting through are security issue characters?

Code: Select all

<?php
$stringtoclean="/fdsHHH f3434!!!thing.?!//'''''";


$cleanstring="";
$stringtoclean=str_replace("'","`",$stringtoclean); // cleansing it of talking marks( ' ), which screw up the database
$stringtoclean=str_replace(chr(34),"`",$stringtoclean); // same again for double talking marks( " ) - in both cases making it into a ( ` ) character
for ($loop=0;$loop<=strlen($stringtoclean);$loop+=1)
    {
    $sample=substr($stringtoclean, $loop, 1);
    $sampleord=ord($sample);

    if ($sampleord>=32 && $sampleord<=57) $cleanstring.=$sample; // space,!,#,$,%,&,(,),*,+,comma,-,. and Numbers
    if ($sampleord>=65 && $sampleord<=90) $cleanstring.=$sample; // Capital letters
    if ($sampleord>=97 && $sampleord<=122) $cleanstring.=$sample; // Lower case letters
    if ($sampleord==96) $cleanstring.=$sample; // allow ( ` ) through
    if ($sampleord>=58 && $sampleord<=59) $cleanstring.=$sample; // allow : and ; through, for smiley use!
    }

echo $cleanstring;
?>

[Xaleph]

I`m not sure what the point of the cleansing is to be honest. What i mean is, content should be content. Why bother cleaning up someone else his mess? If someone actually wants to post that stuff, let them. If there are no dangerous characters in the string, i wouldn`t bother trying to clean the string. And yes, it`s quite heavy. I believe substr() takes more then 18 cycles to run. That`s quite a lot, and you are running this for every character. Image running this on a text of over 1000 characters.

[Callan S.]

If there are no dangerous characters in the string, i wouldn`t bother trying to clean the string.

I don't understand what you mean here?

Anyway, maximum post length is 250 and I've built in a small flood control where I can set the number of seconds before you can post again. Probably going to set it to five seconds.

I'm not even sure of all the bad characters - if I were I'd just string replace them. Single talking mark, double talking mark, forward slash...what are the others?

[Torniquet]

question-

Why wont htmlspecialchars() do?

then decode them before they are output with htmlspecialchars_decode()

By why i can see, it seems to do the same thing.

maybe i am missing something?

[Callan S.]

Well, because I don't really understand what that does and the nuances of it. That's conceding my security to the unknown, basically. I'm looking at the pages for it right now, but it's still raising question marks for me. Maybe in future I'll find out more and find it matches my security needs, or maybe I'll find it's flawed for that purpose.