Whitelisting: You Set The Rules For Security
We all know what blacklisting is when it comes to strings: removing specified "bad" characters. While this helps to secure user input, it isn't as secure as whitelisting. Whitelisting is the process of saying "Let me tell you what you can give me" whereas blacklisting says "If I find this, I'll remove it."
A customer recently asked that I create a whitelisting function that allowed letters, digits, whitespace characters, periods, commas, and dashes. Any other characters were to be replaced with spaces.
The PHP
function make_valid($input)
{
return preg_replace('/[^A-Za-z0-9.,\(\)\s-]/',' ',$input);
}
The above function uses preg_match() and a small regular expression to remove the rubbish characters.
![CSS @supports]()
Feature detection via JavaScript is a client side best practice and for all the right reasons, but unfortunately that same functionality hasn't been available within CSS. What we end up doing is repeating the same properties multiple times with each browser prefix. Yuck. Another thing we...
![Animating CSS3 Transforms with MooTools Fx]()
![Flexbox Equal Height Columns]()
Flexbox was supposed to be the pot of gold at the long, long rainbow of insufficient CSS layout techniques. And the only disappointment I've experienced with flexbox is that browser vendors took so long to implement it. I can't also claim to have pushed flexbox's limits, but...
![Shake Things Up Using jQuery UI’s Shake Effect]()
Yesterday I created a tutorial showing you how you can shake an element using Fx.Shake, a MooTools component written by Aaron Newton. It turns out that jQuery UI also has a shake effect which can draw attention to an element.
The XHTML
Exactly the same as...
Your way for whitelisting is quite nice. It’s like in Flash where you can specify exactly what characters are allowed by the user.
This method may work well as a common security filter that replaces get_magic_quotes_gpc(), strip_tags() and htmlentities().
Good work as usual!