dwees Posted October 12, 2006 Share Posted October 12, 2006 So I have a script which is currently dangerous which takes user input and runs it through some parsing and then uses it in an eval(). Basically the script takes input from the user which resemble mathematical functions, converts them to the Php versions of the functions, and displays a graph from these functions. I've got it all working, but I want to validate the user input so that it can't be used to execute arbitrary script.I thought about removing all of the 'dangerous' characters from the script. I've sent it through strip_tags, so that's a start. I know that the characters the user will be entering are alphanumeric, (, ), *, /, -,^ and ! (I've already had a problem with a + sign - tried urlencode on one end, and urldecode on the other, but didn't work, so I've resorted to converting the + signs from the user to 'plus' and then back again before it's used in the script).Is there anyway for the user to build a dangerous function from these characters? And if so, what is it, so I can remove it (eg - preg_replace('if','',$string); And FINALLY my real regexp question! How do I create a regexp to only allow alphanumeric, ( , ) , * , / , - , ^ and ! characters through (no commas required)?Dave Quote Link to comment https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/ Share on other sites More sharing options...
Zane Posted October 12, 2006 Share Posted October 12, 2006 just do a regex validation on the text inputthat only allows[code](, ), ^, *, /, \, +, -, [0-9][/code]EDIT:didn't realize the question was about regex already..lol Quote Link to comment https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/#findComment-108107 Share on other sites More sharing options...
Zane Posted October 12, 2006 Share Posted October 12, 2006 [code=php:0]if(ereg("[^0-9()\*\/\\\^\+-\s]+", $textInput)) echo "Not a Valid Mathmatical function";else eval($textInput);[/code] Quote Link to comment https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/#findComment-108111 Share on other sites More sharing options...
dwees Posted October 13, 2006 Author Share Posted October 13, 2006 [code]if(ereg("[^0-9()\*\/\\\^\+-\s]+", $textInput)) echo "Not a Valid Mathmatical function";else eval($textInput);[/code]To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)[code]if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput)) echo "Not a Valid Mathmatical function";else eval($textInput);[/code]Could I also do:[code]preg_replace("[^a-z0-9()\*\/\\\^\+-\s]+", "", $textInput);[/code]Anyway, with just these characters in a string, is there anything dangerous a user could do? Also, will this regexp remove linebreaks and spaces from the string automatically?Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/#findComment-108211 Share on other sites More sharing options...
Zane Posted October 14, 2006 Share Posted October 14, 2006 As long as you don't allow them to create variables make PHP statementsyou should have to worry about malicious code.if you block thing like{}$=->and as long as they don't have access to any global variables like _POST or _GETthere's nothing dangerous that could happen...[quote]To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)Code:if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput)) echo "Not a Valid Mathmatical function";else eval($textInput);[/quote]yeah...you can also set for uppercase too[^a-zA-Z0-9()\*\/\\\^\+-\s] Quote Link to comment https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/#findComment-108895 Share on other sites More sharing options...
dwees Posted October 16, 2006 Author Share Posted October 16, 2006 So I could strip _ from the string to remove their access to Global variables and then it should be fairly safe eh. Quote Link to comment https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/#findComment-109617 Share on other sites More sharing options...
dwees Posted October 16, 2006 Author Share Posted October 16, 2006 Here's my validation function, will this strip the code enough that it will be safe for an eval ?I think that the last two replaces [i]should[/i] be handled with the first replacement, but better safe than sorry I guess.[code]function validate($input) { $input = strtolower($input); $input = preg_replace("/[^a-z0-9()\*\/\\\^\+-\s]+/", "", $input); $input = preg_replace("/[fd]/","", $input); // Just in case, strip BAD php commands $input = preg_replace("/(post|get|request|server|global|cookie|env|files|exec|shell|file|passthru|escapeshellcmd|popen|pcntl_exec)/", "", $input); $input = preg_replace("/'/","",$input); $input = preg_replace('/"/','',$input); return $input;}[/code] Quote Link to comment https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/#findComment-109620 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.