Match word.word?

[LemonInflux]

I'm in a situation where I get the user's desired page via a $_GET variable. The only problem is that, of course, this means that they could quite easily use directory traversal to view pages they shouldn't be able to. What I want is to check that the user's page doesn't contain anything but letters/numbers and a '.' in the middle, e.g. folder.file, but not folder.../file

 

I've been looking at various sites, and I came to ([A-Za-z0-9-]+)\.([A-Za-z0-9-]+)

Is this ok? Also, is there any way of shortening it? I know you can use \w to match words, but these don't contain numbers right?

Thanks in advance

 

----------------

Now playing: Dance Gavin Dance - It's Safe to Say You Dig the Backseat

via FoxyTunes

[effigy]

How about matching against %\.\./%? This will find any attempts to go up the hierarchy.

[LemonInflux]

Awesome, thanks That solves the problem anyway topic solved

[LemonInflux]

Just to clarify, it would be

 

if(preg_match('%\.\./%', $string) { /* Do action if unsafe */ } else { /* Action if safe */ }

?

 

----------------

Now playing: Get Cape. Wear Cape. Fly - The Children Are (The Consumers Of) The Future

via FoxyTunes

[effigy]

Correct. You could use strpos since the string is static.

[LemonInflux]

Although that still doesn't solve the problem that it also has to match word.word. How would I incorporate that into it?

 

----------------

Now playing: Get Cape. Wear Cape. Fly - Keep Singing Out

via FoxyTunes

[effigy]

/\A[a-z\d]\.[a-z\d]\z/i

 

What about underscores?

[LemonInflux]

No underscores, just words. However, these will be in camel case if more than one word is needed, so would I need:

 

[pre]/\A[A-Za-z\d]\.[A-Za-z\d]\z/i[/pre]

And how would I add the %\.\./% in?

 

----------------

Now playing: Get Cape. Wear Cape. Fly - Better Things

via FoxyTunes

[LemonInflux]

Oooh hang on, I see, it wouldn't be needed because there's nowhere they could go?

 

----------------

Now playing: Get Cape. Wear Cape. Fly - Could've Seen It All

via FoxyTunes

[effigy]

The /i covers the case insensitivity. What will you be matching this against--an entire path? /usr/bob/file.txt?

[LemonInflux]

It's a path, but with dot notation. For example:

 

If 'topFolder.bottomFile' is matched, it will go to topFolder/bottomFile.php. I can work out the .php bit, and the / bit, but it's the validation I'm struggling with :S

 

----------------

Now playing: Get Cape. Wear Cape. Fly - Could've Seen It All

via FoxyTunes

[LemonInflux]

Hold on, I've just realised that the 0-9 range isn't needed. So..

[pre]/\A[a-z]\.[a-z]\z/i[/pre]

Is that right? \d is digits?

 

----------------

Now playing: Guns N' Roses - Welcome To The Jungle

via FoxyTunes

[effigy]

Is that right? \d is digits?

 

Yes.

[LemonInflux]

Out of curiosity, what does the \z signify? I know \Z is end of string, but is there a difference?

 

----------------

Now playing: Linkin Park & Jay-Z - Dirt Off Your Shoulder / Lying From You

via FoxyTunes

[effigy]

Typically ^ and $ are used to anchor the beginning and end of the line, respectively; however these are affected by multi-line mode (/m). The other options are:

 

\A -- Same as ^, but not affected by multi-line mode.

\Z -- Same as $, but not affected by multi-line mode. May match before a string-ending new line.

\z -- Same as $, but not affected by multi-line mode. Will only match the end of the string.