Whitelisting: You Set The Rules For Security
We all know what blacklisting is when it comes to strings: removing specified "bad" characters. While this helps to secure user input, it isn't as secure as whitelisting. Whitelisting is the process of saying "Let me tell you what you can give me" whereas blacklisting says "If I find this, I'll remove it."
A customer recently asked that I create a whitelisting function that allowed letters, digits, whitespace characters, periods, commas, and dashes. Any other characters were to be replaced with spaces.
The PHP
function make_valid($input)
{
return preg_replace('/[^A-Za-z0-9.,\(\)\s-]/',' ',$input);
}
The above function uses preg_match() and a small regular expression to remove the rubbish characters.
![Camera and Video Control with HTML5]()
Client-side APIs on mobile and desktop devices are quickly providing the same APIs. Of course our mobile devices got access to some of these APIs first, but those APIs are slowly making their way to the desktop. One of those APIs is the getUserMedia API...
![9 More Mind-Blowing WebGL Demos]()
With Firefox OS, asm.js, and the push for browser performance improvements, canvas and WebGL technologies are opening a world of possibilities. I featured 9 Mind-Blowing Canvas Demos and then took it up a level with 9 Mind-Blowing WebGL Demos, but I want to outdo...
![CSS Selection Styling]()
The goal of CSS is to allow styling of content and structure within a web page. We all know that, right? As CSS revisions arrive, we're provided more opportunity to control. One of the little known styling option available within the browser is text selection styling.
![Page Peel Effect Using MooTools]()
Your way for whitelisting is quite nice. It’s like in Flash where you can specify exactly what characters are allowed by the user.
This method may work well as a common security filter that replaces get_magic_quotes_gpc(), strip_tags() and htmlentities().
Good work as usual!