Search the Community

I am writing a script that will parse my PHP classes and check for things like coupling, visualize my objects and connections, dependencies, check for convention usage, etc. So, I have a simple file upload. I'm never saving the files, just get contents and dump the file and work with the string version. I'm writing it for me, but I figure I might want to open it for others to use in the future, so I may as well write it that way to begin with -- so I need to validate user input. Problem is, the user input is supposed to be valid PHP code. I'm thinking that, as long as I'm careful, I shouldn't be executing any code contained in strings, but I'm no security expert and I want a warm fuzzy that my thought on this is correct. What kinds of things do I need to look out for? Is it possible to inject when working with strings? My initial thought is to regex the entire file and replace key portions with known replacements. So ( and ) would become !* and !^ or $ would become @~ (combinations that -- I think -- don't make sense to php?) But that may be completely unnecessary processing time if I'm not in any danger, here. Thanks ahead of time for any help. PS - as a side question -- what's the best way to verify a file is a php file? I know of getimagesize for images, but should I just check for <? to verify it's php? That seems like it would be too easy to fool -- then again, it might not matter much. -Adam

I have a form which contains a dynamic number of text fields that are intended for shoppers to input a positive number only. I separated the validation into a function. It is working well for me so far, but given that security is such a major concern I thought I would ask for comments from the forum. Here's the function: function validate($array){ if (count($array) > 0) { foreach($array as $product){ if(is_numeric($product[0]) && $product[0] >= 0){ return true; } else{ return false; } } } } When the form is sent, the returning page does a little bit of it's own configuring; functions relevant to the page itself and the user's context. Then the script checks to see if input was sent. Then it validates the data before attempting to use it. There are even checks further down in the script that continue to compare it as though it is numeric, and that it is greater than or equal to zero. Is this sufficient?