Any security issues with preg_match and web form input ?
This is a discussion on Any security issues with preg_match and web form input ? within the PHP General forums, part of the PHP Programming Forums category; I accept a regex search term posted from a form, but I use $_REQUEST, so a person could throw the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-09-2003
|
|||
|
|||
Any security issues with preg_match and web form input ?
I accept a regex search term posted from a form, but I use $_REQUEST, so a
person could throw the search term on the url if they wanted to. Am I open to any security breaches ? $search_term = isset ($_REQUEST ['search']) ? $_REQUEST ['search'] : ''; if ($search_term != "") { .... $contents = join ("", file($file)); if (preg_match ("/$search_term/i", $contents)) { } .... } Thanks, -- Richard A. DeVenezia 
|
|
12-09-2003
|
|||
|
|||
|
Re: [PHP] Any security issues with preg_match and web form input ?
--- "Richard A. DeVenezia" <radevenz@ix.netcom.com> wrote:
> I accept a regex search term posted from a form, but I use $_REQUEST, > so a person could throw the search term on the url if they wanted to. > > Am I open to any security breaches? > > $search_term = isset ($_REQUEST ['search']) ? $_REQUEST ['search'] : ''; > if ($search_term != "") { > ... > $contents = join ("", file($file)); > if (preg_match ("/$search_term/i", $contents)) { > } > ... > } Although I can't think of a specific vulnerability for this, it is a bad practice to directly use data from the client without validating it in any way prior. Imagine that a random user can sit down at your desk and edit this script, except that he can only enter code where you have $search_term in your example above. Each time he makes a change, he executes this script to see the result. Now, imagine that he spends day after day trying to figure out something that he can use to compromise your script or cause it to misbehave in some way. Now imagine that there are thousands of people all doing this, day after day. Would you feel comfortable allowing them to edit your code (even just this one part) and be able to test each change, or would you rather have a look at what they entered before running the script each time? Hopefully you would rather make sure they entered something that looks like a valid regular expression. Your code can take this same approach. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/
|
Linear Mode
