View Single Post
  #83  
Old 8th February 2006, 05:24
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Post

As far as rewriting escapeshellcmd goes, I think rewriting would be the best way to go. Escapeshellcmd's goal is to be a generic filter not an complete filter.

We could write one method or class that would take two variables. The first variable would be the user input variable, second variable would be what filter we would like to run. We would need to do a switch statement or if-else statements with a default method that returns a null value.

Code:
ispconfigVariableFilter(String $variable, int $checkMethod) {

if (checkMethod == 1)
    //filter method 1
    //check to see if $variable only contains [a-z][A-Z] 
    //if passes return $variable else return null
else if (checkMethod == 2)
    //filter method 2
    //check to see if $variable only contains [a-z][A-Z][0-9]
    //if passes return $variable else return null
...

else 
    return null;

}
This would make it easier to modify the filter if an exploit is found. Also, helps to keep security uniform.

As far as writing filters goes I am a strong believe of stating what a variable can contain verses what it cannot. I know I say this all the time...sorry.

I want to run this by a Black Hat(hacker) programmer and see what his opinion is also. I will post back hopefully soon.

Last edited by webstergd; 8th February 2006 at 22:03.
Reply With Quote