Whitelisting: You Set The Rules For Security
We all know what blacklisting is when it comes to strings: removing specified "bad" characters. While this helps to secure user input, it isn't as secure as whitelisting. Whitelisting is the process of saying "Let me tell you what you can give me" whereas blacklisting says "If I find this, I'll remove it."
A customer recently asked that I create a whitelisting function that allowed letters, digits, whitespace characters, periods, commas, and dashes. Any other characters were to be replaced with spaces.
The PHP
function make_valid($input)
{
return preg_replace('/[^A-Za-z0-9.,\(\)\s-]/',' ',$input);
}
The above function uses preg_match() and a small regular expression to remove the rubbish characters.
![Convert XML to JSON with JavaScript]()
If you follow me on Twitter, you know that I've been working on a super top secret mobile application using Appcelerator Titanium. The experience has been great: using JavaScript to create easy to write, easy to test, native mobile apps has been fun. My...
![Responsive and Infinitely Scalable JS Animations]()
Back in late 2012 it was not easy to find open source projects using requestAnimationFrame() - this is the hook that allows Javascript code to synchronize with a web browser's native paint loop. Animations using this method can run at 60 fps and deliver fantastic...
![Downloadify: Client-Side File Generation Using JavaScript and Flash]()
The following tools is in its very beta stages and works intermittently. Its so damn useful that I had to show it off now though!
I recently stumbled upon Downloadify, a client-side file generation tool based on JavaScript and Flash ActionScript code. A...
![Table Cell and Position Absolute]()
If you follow me on Twitter, you saw me rage about trying to make position: absolute work within a TD element or display: table-cell element. Chrome? Check. Internet Explorer? Check. Firefox? Ugh, FML. I tinkered in the console...and cussed. I did some researched...and I...
Your way for whitelisting is quite nice. It’s like in Flash where you can specify exactly what characters are allowed by the user.
This method may work well as a common security filter that replaces get_magic_quotes_gpc(), strip_tags() and htmlentities().
Good work as usual!