Tom10 Posted February 13, 2015 Share Posted February 13, 2015 Hey i am trying to use preg_match with my website URL $url = "".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI'].""; if(preg_match('#([\^A-Za-z0-9\$]#', $url)) { } else { die("<h1>Security error</h1>"); } I want to kill the page and say "Security Error" if a client tries to inject code into the url, but i can't get this to work. All help is very much appreciated , Thanks Link to comment https://forums.phpfreaks.com/topic/294584-preg_match-problem/ Share on other sites More sharing options...
Psycho Posted February 13, 2015 Share Posted February 13, 2015 So, what are you considering malicious code? I.e. what code are you wanting to allow vs code you don't want to allow? Link to comment https://forums.phpfreaks.com/topic/294584-preg_match-problem/#findComment-1505632 Share on other sites More sharing options...
Tom10 Posted February 13, 2015 Author Share Posted February 13, 2015 So, what are you considering malicious code? I.e. what code are you wanting to allow vs code you don't want to allow? I am wanting to block out javascript attacks like index.php?=<script>onload=alert(document.cookie);</script> It's mainly i'm wondering how to detect using preg match if someone has entered this code or something similar Link to comment https://forums.phpfreaks.com/topic/294584-preg_match-problem/#findComment-1505633 Share on other sites More sharing options...
Psycho Posted February 13, 2015 Share Posted February 13, 2015 Characters like < get encoded to something like '%3C'. So, they wouldn't be caught in a preg_match check. You need to be sure to not convert them back to their native characters. But, this should work for what you described: $fullURL = $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . ''; echo "Full URL: {$fullURL}<br>"; if(preg_match("#[^\w\/\?\&\.\=]#", $fullURL)) { echo "Security error"; } else { echo "URL OK"; } That regex covers: \w = a-z, A-Z, 0-9 & _ (underscore) / (forwardslash) ? (question mark) & (ampersand) . (period) = (equals sign) Link to comment https://forums.phpfreaks.com/topic/294584-preg_match-problem/#findComment-1505634 Share on other sites More sharing options...
Tom10 Posted February 13, 2015 Author Share Posted February 13, 2015 Characters like < get encoded to something like '%3C'. So, they wouldn't be caught in a preg_match check. You need to be sure to not convert them back to their native characters. But, this should work for what you described: $fullURL = $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . ''; echo "Full URL: {$fullURL}<br>"; if(preg_match("#[^\w\/\?\&\.\=]#", $fullURL)) { echo "Security error"; } else { echo "URL OK"; } That regex covers: \w = a-z, A-Z, 0-9 & _ (underscore) / (forwardslash) ? (question mark) & (ampersand) . (period) = (equals sign) Worked like a charm mate thank you so much Link to comment https://forums.phpfreaks.com/topic/294584-preg_match-problem/#findComment-1505637 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.