mrgrammar Posted July 6, 2011 Share Posted July 6, 2011 I want to make sure that my form is not vulnerable to injection. In the process of doing so, I found the following. If I do a preg_match on the data directly submitted to the form, it returns true. // The form input comes from a text box that has two carriage returns $data = $_POST['forminput']; $checkdata = preg_match("/[\r\n]/",$data); // output: $checkdata = true However, if I treat the data first and then do a preg_match, it returns false. // The form input comes from a text box that has two carriage returns $data = $_POST[forminput]; $data = strip_tags(htmlspecialchars(mysql_real_escape_string($data))); $checkdata = preg_match("/[\r\n]/",$data); // output: $checkdata = false In both examples, if I echo the form input, the string on the screen shows the /r/n. Why does the first example return true and the second return false? Quote Link to comment https://forums.phpfreaks.com/topic/241217-preg_match-returns-two-different-results-for-same-string/ Share on other sites More sharing options...
AyKay47 Posted July 6, 2011 Share Posted July 6, 2011 firstly, you wont need to treat the user input until it passes your preg_match anyway. Treating it before-hand is extra work that is not needed. Also, if you pasted that code from your text editor, you are missing your quotes around your index. $data = $_POST['forminput']; //added quotes $data = strip_tags(htmlspecialchars(mysql_real_escape_string($data))); //not needed $checkdata = preg_match("/[\r\n]/",$data); // output: $checkdata = false Quote Link to comment https://forums.phpfreaks.com/topic/241217-preg_match-returns-two-different-results-for-same-string/#findComment-1239071 Share on other sites More sharing options...
xyph Posted July 6, 2011 Share Posted July 6, 2011 Hey guys, I want to verify the contents of a string using a complicated parser, but for some reason the results are different after I change the string. Quote Link to comment https://forums.phpfreaks.com/topic/241217-preg_match-returns-two-different-results-for-same-string/#findComment-1239078 Share on other sites More sharing options...
DavidAM Posted July 6, 2011 Share Posted July 6, 2011 As AyKay47 stated, you do not want to "treat" the data before testing it. The purpose of these "escaping" functions is to change the string in some way for a specific purpose. So, you need to understand what the functions you call are doing. And you need to call the appropriate function at the appropriate time. Your code: $data = strip_tags(htmlspecialchars(mysql_real_escape_string($data))); The reason the preg_match call returns a different result, is that the string is different. mysql_real_escape_string "escapes" specific characters in the string to prepare it for sending to the database. One of the characters it escapes is the newline ("\n"). So, after calling mysql_real_escape_string() there will be NO instances of CR-LF ("\r\n") in the string because a backslash has been inserted BEFORE the newline. So, it will be: "\r\\n" (the newline is escaped). (It also escapes the carriage-return, but that does not enter into the reason for the preg_match() "failure".) This function should NOT be used as a general protection function. It is intended to be used when you get ready to send data to the database server. htmlspecialchars converts certain characters into HTML tags to prepare it for sending to the browser. This function should be called just before sending a string to the browser when you want the HTML to be displayed and not interpreted. strip_tags removes certain HTML tags from a string. This is handy when you want to display some user-entered text but do not want any HTML to be interpreted and you don't want it displayed. Calling any of these functions (as well as several others) will change the value in a variable. Since the value is different before and after the function call, tests performed against the variable may return different results. Quote Link to comment https://forums.phpfreaks.com/topic/241217-preg_match-returns-two-different-results-for-same-string/#findComment-1239211 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.