Jump to content

preg_match


Tom10

Recommended Posts

Hi, so i'm currently looking into security in PHP and i have looked at the preg_match function on PHP.net and i don't fully understand how it works or how to use it properly for example i don't know how i would use the function to detect characters or keywords in the local url, 

 

Please can someone explain it to me?

 

Every response is much appreciated, Thanks :)

Link to comment
Share on other sites

preg_match() has to do with regular expressions. It's not a solution to a particular problem but a tool you can use, so using it "properly" depends on what you're using it for. You could use it to validate simple things like usernames or complex things like URLs.

 

Explain what "detect characters or keywords in the local URL" means.

Link to comment
Share on other sites

preg_match() has to do with regular expressions. It's not a solution to a particular problem but a tool you can use, so using it "properly" depends on what you're using it for. You could use it to validate simple things like usernames or complex things like URLs.

 

Explain what "detect characters or keywords in the local URL" means.

What i want to do with preg match is detect certain keywords or characters in the URL, it's like with mod security if you enter in the URL <script>onload=alert);</script>

 

It comes up with 512 security error

 

I want to use preg_match to detect the keywords or characters that someone enters into the URL and then redirect them or kill the page.

Link to comment
Share on other sites

Some advice: don't try to detect bad input. You will not be able to protect yourself from everything that way.

Instead just deal with it safely. Output into HTML should use functions like htmlspecialchars and occasionally (raw)urlencode.

 

People entering PHP code should be perfectly fine because you should never, ever be attempting to execute it. If they want to provide a bad URL like that then it's okay because all you're going to do is output it or maybe redirect people to it, and both of those cases are very easy to protect yourself against. Here's a demonstration:

$url = "http://corruptsecurity.net/chat.php?<?php file_put_contents() ?>";

echo "<html>
<head>
<title>Redirecting...</title>
<meta http-equiv='Refresh' content='10;url=", htmlspecialchars($url), "'>
</head>

<body>
<p>Redirecting you to <a href='", htmlspecialchars($url), "'>", htmlspecialchars($url), "</a>...</p>
<script type='text/javascript'>
window.setTimeout(function() {
    document.location = ", json_encode((string)$url), ";
}, 3000);
</script>
</body>
</html>";
Link to comment
Share on other sites

Some advice: don't try to detect bad input. You will not be able to protect yourself from everything that way.

Instead just deal with it safely. Output into HTML should use functions like htmlspecialchars and occasionally (raw)urlencode.

 

People entering PHP code should be perfectly fine because you should never, ever be attempting to execute it. If they want to provide a bad URL like that then it's okay because all you're going to do is output it or maybe redirect people to it, and both of those cases are very easy to protect yourself against. Here's a demonstration:

$url = "http://corruptsecurity.net/chat.php?<?php file_put_contents() ?>";

echo "<html>
<head>
<title>Redirecting...</title>
<meta http-equiv='Refresh' content='10;url=", htmlspecialchars($url), "'>
</head>

<body>
<p>Redirecting you to <a href='", htmlspecialchars($url), "'>", htmlspecialchars($url), "</a>...</p>
<script type='text/javascript'>
window.setTimeout(function() {
    document.location = ", json_encode((string)$url), ";
}, 3000);
</script>
</body>
</html>";

In the url variable though how can i redirect them to a specific page if they enter malicious code into the url 

Link to comment
Share on other sites

<?php

$url = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];

 $findMe = array('@', '/', '&', '$', '"', '!', '<', '(', ')', '{');

if (false !== strpos($url, '')) {
    echo 'Fail!';
} else {
    
}

?>

How can i search for more than one character?

 

I have got the error

 

Notice: Array to string conversion in C:\xampp\htdocs\test.php on line 7

Edited by Tom10
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.