It really depends on what you use the user input for.
If you are just storing into a database and splashing it out to a html page
later, htmlspecialchars( ) is adequete protection.
If this is a filename, then checks for the prefix "http://"; and '..' and
quotes in the file name, and a base directory check is needed.
If you are running a command line program, then < > | ' " come to mind. This
is probably not complete. Read a few advisories. The Perl security stuff is
good as they are the most vulnerable :-)
Regards, John
"Kevin" <[EMAIL PROTECTED]> wrote in message
000d01c138d9$92245d80$503ffea9@kl">news:000d01c138d9$92245d80$503ffea9@kl...
> I think my question could be restated to: What characters are potentially
> lethal in user input. I can do the regex. But don't know what to parse
out
> of the strings.
>
> would removing \ / . do the trick?
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
