[pmwiki-devel] $12.50 -> .50 var problem
Jason Frisvold
xenophage0 at gmail.com
Tue Apr 10 15:32:02 CDT 2007
On 4/10/07, The Editor <editor at fast.st> wrote:
> I take it this means it's never safe to run a preg_replace command on
> a input field from a user? Or am I missing something... There are
> probably other places this should be checked also. No one has
> mentioned this in the past. Curious it's just now come up. I'll do
> some scouting around if I haven't misunderstood you...
Hrm... I hadn't thought about this before, but I think WRF is right,
partially.. While I would agree that blindly using user-supplied text
is an issue, I think you're on the right track with your code.
Let me explain. You're allowing a $ in the user's text because it's
possible they're using it to represent money. Not a big issue at all.
The problem arises when the user enters something intended to cause
intentional problems. For instance, if the user submitted a specific
variable name instead of something innocuous, that variable could
cause further problems if it's improperly used as a replacement.
However, I think your code (at least, the bit you posted) is safe
because the only code that is re-interpreted by preg_replace is a
numeric value following a dollar sign. In that instance, it's a back
reference. Any other variable name is used as a replacement value
directly and not interpreted.
That said, you do need to look for these things in your code.
Rule #1, never, ever, under any circumstance, trust the user.
Rule #2, when you have to trust the user, see rule #1.
I have no idea what level of competency you currently have with PHP
code, so if you're already aware of this, ignore my comments. :) If
not, I can recommend some decent reading on PHP security related
concepts. :)
> Cheers,
> Dan
--
Jason 'XenoPhage' Frisvold
XenoPhage0 at gmail.com
http://blog.godshell.com
More information about the pmwiki-devel
mailing list