I have read many other questions regarding how to filter a string to "Alpha-numeric", but all of them suggest the preg_replace()
method.
According to OWASP:
Function preg_replace() should not be used with unsanitised user input, because the payload will be eval()’ed13.
preg_replace("/.*/e","system(’echo /etc/passwd’)");
Reflection also could have code injection flaws. Refer to the appropriate reflection documentations, since it is an advanced topic.
So now how do I achieve this without preg_replace?
$result = preg_replace("/[^a-zA-Z0-9]+/", "", $_POST['data']);
// Notice the $_POST['data']
There's no problem using preg_replace()
to filter user inputs. The OWASP advice you've quoted is talking about the pattern not being user input itself.
However, I'd say that using filtered inputs is a problem by itself - you should validate instead. As in, don't accept invalid inputs.
Example:
$result = ctype_alnum($_POST['data']) ? $_POST['data'] : null;
Well we had similar situation and we use the following:
if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str))
{
//do your stuff
}
You could go for something like this:
<?php
$unsafe_input = 'some"""\'t&%^$@!`hing~~ unsafe \':[]435^%$^%*$^#'; // input from user
$safe_input = ''; // final sanitized string
// we want to allow 0-9 A-Z and a-z
// merge and flip so that we can use isset() later
$allowed_chars = array_flip(array_merge(range(0, 9), range('A', 'Z'), range('a', 'z')));
// loop each byte of the string
for($i = 0; $i < strlen($unsafe_input); ++$i)
{
// isset() is lightyears faster than in_array()
if(isset($allowed_chars[$unsafe_input[$i]]))
{
// good, sanitized, data
$safe_input.= $unsafe_input[$i];
}
}
echo $safe_input;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With