Jump to content


Photo

Mathematical Function matching


  • Please log in to reply
6 replies to this topic

#1 dwees

dwees
  • Members
  • PipPipPip
  • Advanced Member
  • 47 posts
  • LocationUnited Kingdom

Posted 12 October 2006 - 09:50 PM

So I have a script which is currently dangerous which takes user input and runs it through some parsing and then uses it in an eval(). 

Basically the script takes input from the user which resemble mathematical functions, converts them to the Php versions of the functions, and displays a graph from these functions.  I've got it all working, but I want to validate the user input so that it can't be used to execute arbitrary script.

I thought about removing all of the 'dangerous' characters from the script.  I've sent it through strip_tags, so that's a start.  I know that the characters the user will be entering are alphanumeric, (, ), *, /, -,^ and !  (I've already had a problem with a + sign - tried urlencode on one end, and urldecode on the other, but didn't work, so I've resorted to converting the + signs from the user to 'plus' and then back again before it's used in the script).

Is there anyway for the user to build a dangerous function from these characters?  And if so, what is it, so I can remove it (eg - preg_replace('if','',$string);  And FINALLY my real regexp question! 

How do I create a regexp to only allow alphanumeric, ( , ) , * , / , - , ^ and ! characters through (no commas required)?

Dave

#2 Zane

Zane
  • Administrators
  • Advanced Member
  • 4,134 posts

Posted 12 October 2006 - 09:57 PM

just do a regex validation on the text input
that only allows
(, ), ^, *, /, \, +, -, [0-9]

EDIT:
didn't realize the question was about regex already..lol

btn_donate_SM.gif Want to thank me? Contribute to my PayPal piggy-bank
 

172938.png

#3 Zane

Zane
  • Administrators
  • Advanced Member
  • 4,134 posts

Posted 12 October 2006 - 10:01 PM

if(ereg("[^0-9()\*\/\\\^\+-\s]+", $textInput))
   echo "Not a Valid Mathmatical function";
else
   eval($textInput);

btn_donate_SM.gif Want to thank me? Contribute to my PayPal piggy-bank
 

172938.png

#4 dwees

dwees
  • Members
  • PipPipPip
  • Advanced Member
  • 47 posts
  • LocationUnited Kingdom

Posted 13 October 2006 - 07:18 AM

if(ereg("[^0-9()\*\/\\\^\+-\s]+", $textInput))
   echo "Not a Valid Mathmatical function";
else
   eval($textInput);

To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)

if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput))
   echo "Not a Valid Mathmatical function";
else
   eval($textInput);

Could I also do:

preg_replace("[^a-z0-9()\*\/\\\^\+-\s]+", "", $textInput);

Anyway, with just these characters in a string, is there anything dangerous a user could do?  Also, will this regexp remove linebreaks and spaces from the string automatically?

Thanks.

#5 Zane

Zane
  • Administrators
  • Advanced Member
  • 4,134 posts

Posted 14 October 2006 - 10:17 PM

As long as you don't allow them to create variables make PHP statements
you should have to worry about malicious code.

if you block thing like
{
}
$
=
->

and as long as they don't have access to any global variables like _POST or _GET
there's nothing dangerous that could happen...



To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)
Code:

if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);


yeah...you can also set for uppercase too
[^a-zA-Z0-9()\*\/\\\^\+-\s]

btn_donate_SM.gif Want to thank me? Contribute to my PayPal piggy-bank
 

172938.png

#6 dwees

dwees
  • Members
  • PipPipPip
  • Advanced Member
  • 47 posts
  • LocationUnited Kingdom

Posted 16 October 2006 - 04:58 PM

So I could strip _ from the string to remove their access to Global variables and then it should be fairly safe eh.

#7 dwees

dwees
  • Members
  • PipPipPip
  • Advanced Member
  • 47 posts
  • LocationUnited Kingdom

Posted 16 October 2006 - 05:08 PM

Here's my validation function, will this strip the code enough that it will be safe for an eval ?
I think that the last two replaces should be handled with the first replacement, but better safe than sorry I guess.

function validate($input) {
	$input = strtolower($input);
	$input = preg_replace("/[^a-z0-9()\*\/\\\^\+-\s]+/", "", $input);
	$input = preg_replace("/[fd]/","", $input);
	// Just in case, strip BAD php commands
	$input = preg_replace("/(post|get|request|server|global|cookie|env|files|exec|shell|file|passthru|escapeshellcmd|popen|pcntl_exec)/", "", $input);
	$input = preg_replace("/'/","",$input);
	$input = preg_replace('/"/','',$input);
	return $input;
}





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users