Page 1 of 1

Checking input against a number of different regexs...?

Posted: Tue Dec 30, 2008 8:07 am
by Wolf_22
I have some input that I wish to filter against a number of keywords and phrases in order to increase security against bad guys. For example, if someone accesses my login page, I would have that input first be checked against the word "select", and then maybe something like the equals sign or the string "<?php", etc. Before I continue, though, is this a good idea? With the exception of losing that one or two users who might use a username with the word "select" in it or whatever, I thought that the security gained would be better than the loss. What are some other strings I might check for if this is a good idea?

As for the actual scanning / filtering process, though, are there any PHP functions that can help me do this without having to make multiple preg_match_all()s within OR statements?

This is an example of where I'm heading:

Code: Select all

    if(substr($form_username,0,6) == 'select' || substr($form_password,0,6) == 'select')
        $bad_ip = getenv("REMOTE_ADDR");
        header('Location: index.php');
As you can see above, I would like to possibly use something like an array for my keywords (or even a separate text document) that can be progressively scanned all the way through, this way I might only have 2 conditions (one for the username, and one for password; both of which would be checked against the keyword source variable or document for certain phrases and or keywords). If there are any functions that can cycle through a given array in the fashion I speak of, what is it?

I would appreciate any feedback or thoughts on this as I am trying to learn more about PHP security.

Re: Checking input against a number of different regexs...?

Posted: Wed Dec 31, 2008 7:00 am
by prometheuzz
Devnetwork has a special security forum and a regex forum. I'd start by asking in the security forum.

Re: Checking input against a number of different regexs...?

Posted: Wed Dec 31, 2008 7:58 am
by Wolf_22
I'll do that.
Thanks.