While I can see the merit in this approach there is a lot of redundancy with the potential for holes . It does of course offer more granularity but I'm not sure you really need this and the attendant overhead. The main issues are the null byte hack, shell metachars, multiencoding %hh so you don't actually properly check the string and the old ../.. chestnut. We are reasonably protected from buffer overflows but you can easily truncate the length if desired.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print