Hey guys you'll have to run this to see what I'm talking about, but I am getting either low or high control characters into my strings using the below code, I recommend running it through a bash terminal as this is how I am seeing glyph like characters.
To my knowledge this should be happening? How are these character escaping the filter?
#!/usr/bin/php
<?php
$i=0; while ($i++ <= 20)
echo 'STR: ' .filter_var(openssl_random_pseudo_bytes(100), FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH) . "
";
Example, I'm not sure if you can see the [] after the character sequence js*w but that is pretty much what I'm talking about, it was my opinion that it should have been filtered out with the rest of the high/low stuff
STR: <|f)/KZ2|36rb2<.9|X3 js*wjZ6Dp-f8R[/O/VY
FILTER_FLAG_STRIP_LOW: Strips characters that has a numerical value <32. FILTER_FLAG_STRIP_HIGH: Strips characters that has a numerical value >127.
ord("[") returns 91, and ord("]") returns 93 so they should not be filtered out