PHP sanitization burps?

**=?ISO-8859-1?Q?=22=C1lvaro_G=2E_Vicario=22?=** · Nov 7 '08, 09:05 AM

Re: PHP sanitization burps?

Twayne escribió:

Is it legal to use the following PHP line ($string is the operative
object here)?
>
$string = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) for
instance?

As far as I know, filter_var() is a function like any other; it doesn't
have anything magical or special. The only drawback I can think of is
that the function "Returns the filtered data, or FALSE if the filter
fails", so in case of failure you lose your data.

or must I use something like:
>
$stringA = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) ?
and then work with $stringA thereafter?

Do you need later the original value of $string?

==============
It seems to work OK and then at the odd times it doesn't. I'm using an
Apache local server for this testing and feeding it either by a manually
typed localhost or 127. ... URL or letting NotePadPro throw it to the
server; either way gets the same results.

The concept of throwing a file to the server is new to me xD

When you say "doesn't work", do you mean that filter_var() returns a
boolean FALSE? Do you get different output with the same input?

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

**Curtis** · Nov 7 '08, 09:15 AM

Re: PHP sanitization burps?

On Fri, 07 Nov 2008 02:47:52 GMT, nobody@devnull. spamcop.net wrote:

XP Pro SP3 and PHP 5.2.5
>
Probably a silly question, and admittedly rather minor, but ... I seem
to be getting inconsistant sandbox results. Usually, it's common to
modify a var by referencing it to itself; e.g. 'n=n+1' , '$var=$var &&
"this" ', etc.
==============
Is it legal to use the following PHP line ($string is the operative
object here)?
>
$string = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) for
instance?
or must I use something like:
>
$stringA = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) ?
and then work with $stringA thereafter?
==============

Both are valid assignments, although your posted statements lack a
semi-colon. I'll assume that isn't the problem. :P

It seems to work OK and then at the odd times it doesn't.

What does that mean? Can you explain exactly how it doesn't work?

[snip]

Is it a case of it's "just me" that something like
$string = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) for
instance
seems to fail at the odd times but works most of the time?

[snip]

So, at times, you don't get any output? Please be more specific
about what behavior does not meet your expectations.
--
Curtis
$email = str_replace('si g.invalid', 'gmail.com', $from);

**Twayne** · Nov 7 '08, 03:55 PM

Re: PHP sanitization burps?

Twayne escribió:

>Is it legal to use the following PHP line ($string is the operative
>object here)?
>>
>$string = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) for
>instance?

>
As far as I know, filter_var() is a function like any other; it
doesn't have anything magical or special. The only drawback I can
think of is that the function "Returns the filtered data, or FALSE if
the filter fails", so in case of failure you lose your data.
>
>

>or must I use something like:
>>
>$stringA = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) ?
>and then work with $stringA thereafter?

>
Do you need later the original value of $string?

Yes. I store some of them as session variables for a later confirmation
comparison.

>

>============ ==
>It seems to work OK and then at the odd times it doesn't. I'm using
>an Apache local server for this testing and feeding it either by a
>manually typed localhost or 127. ... URL or letting NotePadPro
>throw it to the server; either way gets the same results.

>
The concept of throwing a file to the server is new to me xD

lol, sorry, I just mean feeding the URL to my local server
(localhost... ).

>
When you say "doesn't work", do you mean that filter_var() returns a
boolean FALSE? Do you get different output with the same input?

Yes. To make running the form easier, I have prefilled it with data so
I don't have to keep entering or clicking it back into existence each
time the form paints so all I have to do is click the Submit to run that
code. Where I'm expecting foo I'll get back the original 'foo'
just once in awhile. Maybe once in 10 or 20 times; it varies.
I turned power to the PC off overnight, thinking a cold boot this am
might help something. At first I thought it did and just as I was about
to pronounce it gone, it happened again.
I'll probably rewrite the whole page later today to see if that makes
any difference; I guess it could be a corrupted file, but ... it's so
inconsistant I don't know ... ?

Regards,

Twayne

>
>
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com

**Twayne** · Nov 7 '08, 04:15 PM

Re: PHP sanitization burps?

Curtis said:

On Fri, 07 Nov 2008 02:47:52 GMT, nobody@devnull. spamcop.net wrote:

> XP Pro SP3 and PHP 5.2.5
>>
>Probably a silly question, and admittedly rather minor, but ... I
>seem to be getting inconsistant sandbox results. Usually, it's
>common to modify a var by referencing it to itself; e.g. 'n=n+1' ,
>'$var=$var && "this" ', etc.
>============ ==
>Is it legal to use the following PHP line ($string is the operative
>object here)?
>>
>$string = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) for
>instance?
>or must I use something like:
>>
>$stringA = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) ?
>and then work with $stringA thereafter?
>============ ==

>
Both are valid assignments, although your posted statements lack a
semi-colon. I'll assume that isn't the problem. :P

Thanks, that's the clarification I was looking for. No, it's not the
semi-colons; I wish it was! Looks like I overtyped them with the
question marks etc. here. Dunno why I did that.

>

>It seems to work OK and then at the odd times it doesn't.

>
What does that mean? Can you explain exactly how it doesn't work?

It passes the variable unsanitized. A <script say will come
thru unchanged or a special character will not be stripped, things like
that. It's not returning False, it's just not doing the filtering
intermittantly and not very often for the same data, which is now
prefilled into the form to speed thngs u p.

Based on your clarification above, about all that's left is file
corruption of some sort but darned if I know why it's so intermittant.
I think when I get more time (and coffee in me) I'll rewrite that whole
section from scratch, a validate & sanitize at a time and see what
happens. If it's still a problem then I'll upload it to my remote
server and see what happens there. I've been afraid to do that in case
it hides the problem, but at least I'll have come concrete data to work
with if it comes back.

Oh; should have mentioned I'm no PHP expert by any means; I think I'd be
considered more a neophyte as I don't have a lot of experience yet.
Also, I've preloaded all the form data to make it faster & easier to
work with it. The testing is driving me nuts!

Thanks Curtis,

Twayne

>
[snip]

>Is it a case of it's "just me" that something like
>$string = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) for
>instance
>seems to fail at the odd times but works most of the time?

[snip]
>
So, at times, you don't get any output? Please be more specific
about what behavior does not meet your expectations.

**Curtis** · Nov 8 '08, 06:55 AM

Re: PHP sanitization burps?

On Fri, 07 Nov 2008 16:06:58 GMT, nobody@devnull. spamcop.net wrote:

Curtis said:
>

On Fri, 07 Nov 2008 02:47:52 GMT, nobody@devnull. spamcop.net wrote:

XP Pro SP3 and PHP 5.2.5
>
Probably a silly question, and admittedly rather minor, but ... I
seem to be getting inconsistant sandbox results. Usually, it's
common to modify a var by referencing it to itself; e.g. 'n=n+1' ,
'$var=$var && "this" ', etc.
==============
Is it legal to use the following PHP line ($string is the operative
object here)?
>
$string = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) for
instance?
or must I use something like:
>
$stringA = filter_var($str ing, FILTER_SANITIZE _SPECIAL_CHARS) ?
and then work with $stringA thereafter?
==============

Both are valid assignments, although your posted statements lack a
semi-colon. I'll assume that isn't the problem. :P

>
Thanks, that's the clarification I was looking for. No, it's not the
semi-colons; I wish it was! Looks like I overtyped them with the
question marks etc. here. Dunno why I did that.
>

It seems to work OK and then at the odd times it doesn't.

What does that mean? Can you explain exactly how it doesn't work?

>
It passes the variable unsanitized. A <script say will come
thru unchanged or a special character will not be stripped, things like
that. It's not returning False, it's just not doing the filtering
intermittantly and not very often for the same data, which is now
prefilled into the form to speed thngs u p.
>
Based on your clarification above, about all that's left is file
corruption of some sort but darned if I know why it's so intermittant.
I think when I get more time (and coffee in me) I'll rewrite that whole
section from scratch, a validate & sanitize at a time and see what
happens. If it's still a problem then I'll upload it to my remote
server and see what happens there. I've been afraid to do that in case
it hides the problem, but at least I'll have come concrete data to work
with if it comes back.

[snip]

So you're using filter_var() for form data in your actual script? If
so, you ought to be using filter_input(). Actually, I'm not sure of
any benefit using filter_var() with FILTER_SANITIZE _SPECIAL_CHARS
over htmlspecialchar s() (maybe the options); this is just a guess,
though.

This still doesn't explain your problem, and I have yet to reproduce
the behavior (PHP 5.2.6, Win32, Apache 2 module). Have you searched
the PHP bug tracker?

Here's a php.net example using filter_input:

<?php
$search_html = filter_input(IN PUT_GET, 'search', FILTER_SANITIZE _SPECIAL_CHARS) ;
$search_url = filter_input(IN PUT_GET, 'search', FILTER_SANITIZE _ENCODED);
echo "You have searched for $search_html.\n ";
echo "<a href='?search=$ search_url'>Sea rch again.</a>";
?>

--
Curtis
$email = str_replace('si g.invalid', 'gmail.com', $from);

**Twayne** · Nov 8 '08, 06:05 PM

Re: PHP sanitization burps?

Curtis said:

[snip]
>
So you're using filter_var() for form data in your actual script? If
so, you ought to be using filter_input(). Actually, I'm not sure of
any benefit using filter_var() with FILTER_SANITIZE _SPECIAL_CHARS
over htmlspecialchar s() (maybe the options); this is just a guess,
though.
>
This still doesn't explain your problem, and I have yet to reproduce
the behavior (PHP 5.2.6, Win32, Apache 2 module). Have you searched
the PHP bug tracker?

PHP 5.2.2(Apache/2.2.8 (Win32) here.

>
Here's a php.net example using filter_input:

><?php
>$search_html = filter_input(IN PUT_GET, 'search',
>FILTER_SANITIZ E_SPECIAL_CHARS ); $search_url =
>filter_input(I NPUT_GET, 'search', FILTER_SANITIZE _ENCODED);
>echo "You have searched for $search_html.\n ";
>echo "<a href='?search=$ search_url'>Sea rch again.</a>";

DAMN! It *seems* to be working now. And I have abolutely NO techincal
Idea why! The overnight AV scan came up with an unidentified "high"
rated virus overnight, claiming it couldn't completely clean it or
quarantine it and a manual link to follow for manual cleaning/reporting.
I followed the instructions and when I came back to look at that alert
again, it was gone! If that was on purpose, it's kind of rude not to
let me know why it closed. Anyway, I'm rerunning the scans on that
machine now but it's going to take a long time because I let it include
the 2 500 Gig external drives in addition to the system drives which
total around 600 Gig.

Silly question, assuming the problem isn't actually gone: I'm running
PHP 5.2.2 because that's what's on my remote server; seemed like the
route to the least problems. I do have PHP 5.2.6 though, and could run
it instead (on my local Apache server, that is).
Would there be any benifit in temporarily running 5.2.6? I don't
think so, but since you indicated it's what you're using I thought I'd
ask.

I've been meaning to learn filter_input() as a matter of fact, having
only really discovered it since this problem arose. Thanks much for
the code stub; it will help a lot in getting started.
Another question: Everything I've ever read, and several others on
the groups, have warned me away from _GETs. I recall there is a _POST
also from my readings. In this context, I can't imagine a downside to
it, but ... if I don't ask ... <g>.
Does it matter whether GET or POST is used in this context?

Many thanks Curtis, I appreciate your efforts. I'll be back one way or
another.

Regards,

Twayne

PHP sanitization burps?

PHP sanitization burps?

Comment

Comment

Comment

Comment

Comment

Comment