David Walsh Blog - MooTools Dojo jQuery David Walsh Blog

Whitelisting: You Set The Rules For Security

We all know what blacklisting is when it comes to strings: removing specified "bad" characters. While this helps to secure user input, it isn't as secure as whitelisting. Whitelisting is the process of saying "Let me tell you what you can give me" whereas blacklisting says "If I find this, I'll remove it."

A customer recently asked that I create a whitelisting function that allowed letters, digits, whitespace characters, periods, commas, and dashes. Any other characters were to be replaced with spaces.

The PHP

function make_valid($input) 
{ 
	return preg_replace('/[^A-Za-z0-9.,\(\)\s-]/',' ',$input); 
}

The above function uses preg_match() and a small regular expression to remove the rubbish characters.

Related David Walsh Posts

Simple Username Creation Validation with PHP
6 AJAX Rules To Live By
5 Rules For Using Audio/Video Media on Your Site
Generate Search Engine Friendly URLs with PHP Functions
Secure (SSL) Google Analytics

Written by David Walsh

Debuted on Tuesday, June 17, 2008.

Was this post helpful?

Comments

Matthias
Your way for whitelisting is quite nice. It’s like in Flash where you can specify exactly what characters are allowed by the user.
This method may work well as a common security filter that replaces get_magic_quotes_gpc(), strip_tags() and htmlentities().
Good work as usual!

Be Heard!

Share your thoughts without being a jerk! And wrap your code in <code> tags, f00!

Name*:
Email*:
Website: