Solved

Sanitizing user input to preg_replace / preg_replace_callback

Posted on 2008-10-27
3
363 Views
Last Modified: 2012-05-05
preg_replace with /e modifier and preg_replace_callback with a callback from create_function input allow function calls well outside of what one would expect to be allowed for string replacement functions, such as unlink() system() etc.  Is there any good way of sanitizing this replacement pattern user input (disallowing non-string functions for example)?

I suspect the answer is no but I thought I would ask.
0
Comment
Question by:ddrudik
  • 2
3 Comments
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 22821351
Wow, honestly - I would NEVER go there with user input.  You would just be playing whack-a-mole, trying to smack down issue after issue.

Instead, you might want to consider using some pre-named and pre-canned callbacks.

My $0.02, ~Ray
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 22822842
@ddrudik: Good luck with your project, and thanks for the points! ~Ray
0
 
LVL 27

Author Comment

by:ddrudik
ID: 22822914
I decided it best not to accept preg_replace/e or preg_replace_callback user-supplied patterns.  Thanks.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question