On 4/10/07, The Editor <[EMAIL PROTECTED]> wrote: > I take it this means it's never safe to run a preg_replace command on > a input field from a user? Or am I missing something... There are > probably other places this should be checked also. No one has > mentioned this in the past. Curious it's just now come up. I'll do > some scouting around if I haven't misunderstood you...
Hrm... I hadn't thought about this before, but I think WRF is right, partially.. While I would agree that blindly using user-supplied text is an issue, I think you're on the right track with your code. Let me explain. You're allowing a $ in the user's text because it's possible they're using it to represent money. Not a big issue at all. The problem arises when the user enters something intended to cause intentional problems. For instance, if the user submitted a specific variable name instead of something innocuous, that variable could cause further problems if it's improperly used as a replacement. However, I think your code (at least, the bit you posted) is safe because the only code that is re-interpreted by preg_replace is a numeric value following a dollar sign. In that instance, it's a back reference. Any other variable name is used as a replacement value directly and not interpreted. That said, you do need to look for these things in your code. Rule #1, never, ever, under any circumstance, trust the user. Rule #2, when you have to trust the user, see rule #1. I have no idea what level of competency you currently have with PHP code, so if you're already aware of this, ignore my comments. :) If not, I can recommend some decent reading on PHP security related concepts. :) > Cheers, > Dan -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com _______________________________________________ pmwiki-devel mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
