Tom10 Posted February 9, 2015 Share Posted February 9, 2015 Hi, so i'm currently looking into security in PHP and i have looked at the preg_match function on PHP.net and i don't fully understand how it works or how to use it properly for example i don't know how i would use the function to detect characters or keywords in the local url, Please can someone explain it to me? Every response is much appreciated, Thanks Quote Link to comment Share on other sites More sharing options...
requinix Posted February 9, 2015 Share Posted February 9, 2015 preg_match() has to do with regular expressions. It's not a solution to a particular problem but a tool you can use, so using it "properly" depends on what you're using it for. You could use it to validate simple things like usernames or complex things like URLs. Explain what "detect characters or keywords in the local URL" means. Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 10, 2015 Author Share Posted February 10, 2015 preg_match() has to do with regular expressions. It's not a solution to a particular problem but a tool you can use, so using it "properly" depends on what you're using it for. You could use it to validate simple things like usernames or complex things like URLs. Explain what "detect characters or keywords in the local URL" means. What i want to do with preg match is detect certain keywords or characters in the URL, it's like with mod security if you enter in the URL <script>onload=alert);</script> It comes up with 512 security error I want to use preg_match to detect the keywords or characters that someone enters into the URL and then redirect them or kill the page. Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 10, 2015 Author Share Posted February 10, 2015 An example would be: http://corruptsecurity.net/chat.php?%3C?php%20file_put_contents()%20?%3E Quote Link to comment Share on other sites More sharing options...
requinix Posted February 10, 2015 Share Posted February 10, 2015 Some advice: don't try to detect bad input. You will not be able to protect yourself from everything that way. Instead just deal with it safely. Output into HTML should use functions like htmlspecialchars and occasionally (raw)urlencode. People entering PHP code should be perfectly fine because you should never, ever be attempting to execute it. If they want to provide a bad URL like that then it's okay because all you're going to do is output it or maybe redirect people to it, and both of those cases are very easy to protect yourself against. Here's a demonstration: $url = "http://corruptsecurity.net/chat.php?<?php file_put_contents() ?>"; echo "<html> <head> <title>Redirecting...</title> <meta http-equiv='Refresh' content='10;url=", htmlspecialchars($url), "'> </head> <body> <p>Redirecting you to <a href='", htmlspecialchars($url), "'>", htmlspecialchars($url), "</a>...</p> <script type='text/javascript'> window.setTimeout(function() { document.location = ", json_encode((string)$url), "; }, 3000); </script> </body> </html>"; Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 11, 2015 Author Share Posted February 11, 2015 Some advice: don't try to detect bad input. You will not be able to protect yourself from everything that way. Instead just deal with it safely. Output into HTML should use functions like htmlspecialchars and occasionally (raw)urlencode. People entering PHP code should be perfectly fine because you should never, ever be attempting to execute it. If they want to provide a bad URL like that then it's okay because all you're going to do is output it or maybe redirect people to it, and both of those cases are very easy to protect yourself against. Here's a demonstration: $url = "http://corruptsecurity.net/chat.php?<?php file_put_contents() ?>"; echo "<html> <head> <title>Redirecting...</title> <meta http-equiv='Refresh' content='10;url=", htmlspecialchars($url), "'> </head> <body> <p>Redirecting you to <a href='", htmlspecialchars($url), "'>", htmlspecialchars($url), "</a>...</p> <script type='text/javascript'> window.setTimeout(function() { document.location = ", json_encode((string)$url), "; }, 3000); </script> </body> </html>"; In the url variable though how can i redirect them to a specific page if they enter malicious code into the url Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 11, 2015 Author Share Posted February 11, 2015 Like how would i be able to use PHP to detect if they have actually tried to inject malicious code into the url and if so redirect them? Quote Link to comment Share on other sites More sharing options...
requinix Posted February 11, 2015 Share Posted February 11, 2015 By deciding what you consider to be "malicious code" and then looking for it. If you think the presence of a "<?php" means it is malicious then that's what you look for. Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 11, 2015 Author Share Posted February 11, 2015 Yeah but i mean how can i use strpos for the url of my website, i know how to use it with normal html input Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 11, 2015 Author Share Posted February 11, 2015 (edited) <?php $url = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; $findMe = array('@', '/', '&', '$', '"', '!', '<', '(', ')', '{'); if (false !== strpos($url, '')) { echo 'Fail!'; } else { } ?> How can i search for more than one character? I have got the error Notice: Array to string conversion in C:\xampp\htdocs\test.php on line 7 Edited February 11, 2015 by Tom10 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.