Solved

Sanitizing user input to preg_replace / preg_replace_callback

Posted on 2008-10-27
3
381 Views
Last Modified: 2012-05-05
preg_replace with /e modifier and preg_replace_callback with a callback from create_function input allow function calls well outside of what one would expect to be allowed for string replacement functions, such as unlink() system() etc.  Is there any good way of sanitizing this replacement pattern user input (disallowing non-string functions for example)?

I suspect the answer is no but I thought I would ask.
0
Comment
Question by:ddrudik
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 22821351
Wow, honestly - I would NEVER go there with user input.  You would just be playing whack-a-mole, trying to smack down issue after issue.

Instead, you might want to consider using some pre-named and pre-canned callbacks.

My $0.02, ~Ray
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 22822842
@ddrudik: Good luck with your project, and thanks for the points! ~Ray
0
 
LVL 27

Author Comment

by:ddrudik
ID: 22822914
I decided it best not to accept preg_replace/e or preg_replace_callback user-supplied patterns.  Thanks.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question