HigherIQ
asked on
Searching for string inside preg_replace/preg_match findings
I have on my website a forum that allows user input with bbcode style tags.
One of my issues recently has been users using CSRF on other pages on my website that aren't protected. And although I've started adding protection to each page, I feel it might be a faster immediate fix to prevent users including the string ".php" in any [img] tags, since the entire section of my website is coded in php.
I currently use the code attached below, but I am at a loss for how to ensure that ".php" does not occur within the tags. My other option is to ensure the extension of the link is a proper image extension. But again, no clue how to proceed.
Any help would be helpful :)
Thanks.
One of my issues recently has been users using CSRF on other pages on my website that aren't protected. And although I've started adding protection to each page, I feel it might be a faster immediate fix to prevent users including the string ".php" in any [img] tags, since the entire section of my website is coded in php.
I currently use the code attached below, but I am at a loss for how to ensure that ".php" does not occur within the tags. My other option is to ensure the extension of the link is a proper image extension. But again, no clue how to proceed.
Any help would be helpful :)
Thanks.
$s = preg_replace("/\[img\]([^\s'\"<>]+?)\[\/img\]/i", "<img style=\"border: none;\" src=\"\\1\" alt=\"img\" />", $s);
typo
$s = preg_replace("/\.php/ig", "", $s);
ASKER
Unfortunately not, as the forum itself often references pages throughout the website with links etc.
I cannot just remove the ".php" from the whole text, as someone with an image may also have a valid link, and reason to have ".php" in the rest of the forum post.
I cannot just remove the ".php" from the whole text, as someone with an image may also have a valid link, and reason to have ".php" in the rest of the forum post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ddrudik, that is absolutely perfect. I can now view it to see how it's used as well.
Thanks a lot :)
Thanks a lot :)
Glad I could help.
Thanks for the question and the points.
Couldn't you just add another line to preg_replace .php with nothing?
Open in new window