Regex and using an array as pattern?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Wolf_22
Forum Contributor
Posts: 159
Joined: Fri Dec 26, 2008 9:43 pm

Regex and using an array as pattern?

Post by Wolf_22 »

I have some input that I wish to filter against a number of keywords and phrases in order to increase security against bad guys. For example, if someone accesses my login page, I would have that input first be checked against the word "select", and then maybe something like the equals sign or the string "<?php", etc. Before I continue, though, is this even a good idea? With the exception of losing that one or two users who might use a username with the word "select" in it or whatever, I thought that the added security gained would be better than the loss. What are some other strings I might check for if this is a good idea?

As for the actual scanning / filtering process, though, are there any PHP functions that can help me do this without having to make multiple preg_match_all()s within OR statements?

This is an example of where I'm heading:

Code: Select all

       if(substr($form_username,0,6) == 'select' || substr($form_password,0,6) == 'select' || ...){
            $bad_ip = getenv("REMOTE_ADDR");//log ip and do some things with it...
            header('Location: index.php');//if bad guy...
            ...
 
As you can see above, I would like to possibly use something like an array for my keywords (or even a separate text document) that can be progressively scanned all the way through using each term within that document as a pattern for the regex, this way I might only have 2 conditions (one for the username, and one for password; both of which would be checked against the keyword source variable or document for certain phrases and or keywords). If there are any functions that can cycle through a given array in the fashion I speak of, what is it? I'm assuming I'll have to use a FOR EACH statement in the process, right?

I would appreciate any feedback or thoughts on this as I am trying to learn more about PHP security. I was advised to post this question in this forum as previously, I posted it within the general PHP section on accident.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Regex and using an array as pattern?

Post by kaisellgren »

list.txt
badword
badword2
badword3

Code: Select all

<?php
 
$array_of_bad_words = file('list.txt');
foreach ($array_of_bad_words as $badword)
 {
  if (stripos($username,$badword) !== false)
   echo "Bad word $badword found.";
 }
 
?>
That's the answer for your question about using arrays and loading from a file.

However, I do not recommend this at all. Using 'select' in a password/username does not mean he is a bad person or a cracker. What you should do is that you should properly escape the data.

Code: Select all

<?php
 
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
mysql_query("INSERT INTO `users` (`username`,`password`) VALUES ('$username','$password');");
 
?>
The above code will allow users to enter any text for their usernames/passwords as long as they are not too long for your database fields. Yet you have no security holes.
Wolf_22
Forum Contributor
Posts: 159
Joined: Fri Dec 26, 2008 9:43 pm

Re: Regex and using an array as pattern?

Post by Wolf_22 »

Are there ways for someone to escape the input from the form input and THEN use the word "SELECT", etc., ?

...I mean BEFORE the submit of the value from the input...? Will the escape function even take care of that?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Regex and using an array as pattern?

Post by kaisellgren »

Wolf_22 wrote:Are there ways for someone to escape the input from the form input and THEN use the word "SELECT", etc., ?

...I mean BEFORE the submit of the value from the input...? Will the escape function even take care of that?
If you look closer to the code I provided.

Code: Select all

('$username','$password');
The variables are enclosed within single quotes. So if the username is SELECT, then it becomes ('SELECT',... and so on. If the username contains single quotes, the escape function escapes the single quotes so it becomes \'.

Yes it is safe.
Post Reply