• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

Searching for string inside preg_replace/preg_match findings

I have on my website a forum that allows user input with bbcode style tags.
One of my issues recently has been users using CSRF on other pages on my website that aren't protected. And although I've started adding protection to each page, I feel it might be a faster immediate fix to prevent users including the string ".php" in any [img] tags, since the entire section of my website is coded in php.

I currently use the code attached below, but I am at a loss for how to ensure that ".php" does not occur within the tags. My other option is to ensure the extension of the link is a proper image extension. But again, no clue how to proceed.

Any help would be helpful :)
Thanks.
$s = preg_replace("/\[img\]([^\s'\"<>]+?)\[\/img\]/i", "<img style=\"border: none;\" src=\"\\1\" alt=\"img\" />", $s);

Open in new window

0
HigherIQ
Asked:
HigherIQ
  • 3
  • 2
  • 2
1 Solution
 
sh0eCommented:
Does it have to be done in one line?  
Couldn't you just add another line to preg_replace .php with nothing?

$s = preg_replace("/\.php/ig", "");

Open in new window

0
 
sh0eCommented:
typo
$s = preg_replace("/\.php/ig", "", $s);

Open in new window

0
 
HigherIQAuthor Commented:
Unfortunately not, as the forum itself often references pages throughout the website with links etc.
I cannot just remove the ".php" from the whole text, as someone with an image may also have a valid link, and reason to have ".php" in the rest of the forum post.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
ddrudikCommented:

$s = preg_replace("/\[img\]((?:(?!\.php)[^\s'\"<>])+?)\[\/img\]/i", "<img style=\"border: none;\" src=\"\\1\" alt=\"img\" />", $s);

Open in new window

0
 
HigherIQAuthor Commented:
ddrudik, that is absolutely perfect. I can now view it to see how it's used as well.

Thanks a lot :)
0
 
ddrudikCommented:
Glad I could help.
0
 
ddrudikCommented:
Thanks for the question and the points.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now