• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 392
  • Last Modified:

Sanitizing user input to preg_replace / preg_replace_callback

preg_replace with /e modifier and preg_replace_callback with a callback from create_function input allow function calls well outside of what one would expect to be allowed for string replacement functions, such as unlink() system() etc.  Is there any good way of sanitizing this replacement pattern user input (disallowing non-string functions for example)?

I suspect the answer is no but I thought I would ask.
0
ddrudik
Asked:
ddrudik
  • 2
1 Solution
 
Ray PaseurCommented:
Wow, honestly - I would NEVER go there with user input.  You would just be playing whack-a-mole, trying to smack down issue after issue.

Instead, you might want to consider using some pre-named and pre-canned callbacks.

My $0.02, ~Ray
0
 
Ray PaseurCommented:
@ddrudik: Good luck with your project, and thanks for the points! ~Ray
0
 
ddrudikAuthor Commented:
I decided it best not to accept preg_replace/e or preg_replace_callback user-supplied patterns.  Thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now