[pmwiki-devel] $12.50 -> .50 var problem

[Jason Frisvold]

On 4/10/07, The Editor <editor at fast.st> wrote:
> I take it this means it's never safe to run a preg_replace command on
> a input field from a user?  Or am I missing something...  There are
> probably other places this should be checked also.  No one has
> mentioned this in the past.  Curious it's just now come up.  I'll do
> some scouting around if I haven't misunderstood you...

Hrm...  I hadn't thought about this before, but I think WRF is right,
partially..  While I would agree that blindly using user-supplied text
is an issue, I think you're on the right track with your code.

Let me explain.  You're allowing a $ in the user's text because it's
possible they're using it to represent money.  Not a big issue at all.
 The problem arises when the user enters something intended to cause
intentional problems.  For instance, if the user submitted a specific
variable name instead of something innocuous, that variable could
cause further problems if it's improperly used as a replacement.

However, I think your code (at least, the bit you posted) is safe
because the only code that is re-interpreted by preg_replace is a
numeric value following a dollar sign.  In that instance, it's a back
reference.  Any other variable name is used as a replacement value
directly and not interpreted.

That said, you do need to look for these things in your code.

Rule #1, never, ever, under any circumstance, trust the user.
Rule #2, when you have to trust the user, see rule #1.

I have no idea what level of competency you currently have with PHP
code, so if you're already aware of this, ignore my comments.  :)  If
not, I can recommend some decent reading on PHP security related
concepts.  :)

> Cheers,
> Dan

-- 
Jason 'XenoPhage' Frisvold
XenoPhage0 at gmail.com
http://blog.godshell.com