Jump to content

Recommended Posts

So I have a script which is currently dangerous which takes user input and runs it through some parsing and then uses it in an eval(). 

Basically the script takes input from the user which resemble mathematical functions, converts them to the Php versions of the functions, and displays a graph from these functions.  I've got it all working, but I want to validate the user input so that it can't be used to execute arbitrary script.

I thought about removing all of the 'dangerous' characters from the script.  I've sent it through strip_tags, so that's a start.  I know that the characters the user will be entering are alphanumeric, (, ), *, /, -,^ and !  (I've already had a problem with a + sign - tried urlencode on one end, and urldecode on the other, but didn't work, so I've resorted to converting the + signs from the user to 'plus' and then back again before it's used in the script).

Is there anyway for the user to build a dangerous function from these characters?  And if so, what is it, so I can remove it (eg - preg_replace('if','',$string);  And FINALLY my real regexp question! 

How do I create a regexp to only allow alphanumeric, ( , ) , * , / , - , ^ and ! characters through (no commas required)?

Dave
Link to comment
https://forums.phpfreaks.com/topic/23802-mathematical-function-matching/
Share on other sites

[code]
if(ereg("[^0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);
[/code]

To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)

[code]
if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);
[/code]

Could I also do:

[code]
preg_replace("[^a-z0-9()\*\/\\\^\+-\s]+", "", $textInput);
[/code]

Anyway, with just these characters in a string, is there anything dangerous a user could do?  Also, will this regexp remove linebreaks and spaces from the string automatically?

Thanks.
As long as you don't allow them to create variables make PHP statements
you should have to worry about malicious code.

if you block thing like
{
}
$
=
->

and as long as they don't have access to any global variables like _POST or _GET
there's nothing dangerous that could happen...



[quote]
To modify this to allow letters as well, I would use? (assuming I first make the input lowercase)
Code:

if(ereg("[^a-z0-9()\*\/\\\^\+-\s]+", $textInput))
  echo "Not a Valid Mathmatical function";
else
  eval($textInput);
[/quote]

yeah...you can also set for uppercase too
[^a-zA-Z0-9()\*\/\\\^\+-\s]
Here's my validation function, will this strip the code enough that it will be safe for an eval ?
I think that the last two replaces [i]should[/i] be handled with the first replacement, but better safe than sorry I guess.

[code]
function validate($input) {
$input = strtolower($input);
$input = preg_replace("/[^a-z0-9()\*\/\\\^\+-\s]+/", "", $input);
$input = preg_replace("/[fd]/","", $input);
// Just in case, strip BAD php commands
$input = preg_replace("/(post|get|request|server|global|cookie|env|files|exec|shell|file|passthru|escapeshellcmd|popen|pcntl_exec)/", "", $input);
$input = preg_replace("/'/","",$input);
$input = preg_replace('/"/','',$input);
return $input;
}
[/code]
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.