Regex and using an array as pattern?
Posted: Wed Dec 31, 2008 8:05 am
I have some input that I wish to filter against a number of keywords and phrases in order to increase security against bad guys. For example, if someone accesses my login page, I would have that input first be checked against the word "select", and then maybe something like the equals sign or the string "<?php", etc. Before I continue, though, is this even a good idea? With the exception of losing that one or two users who might use a username with the word "select" in it or whatever, I thought that the added security gained would be better than the loss. What are some other strings I might check for if this is a good idea?
As for the actual scanning / filtering process, though, are there any PHP functions that can help me do this without having to make multiple preg_match_all()s within OR statements?
This is an example of where I'm heading:
As you can see above, I would like to possibly use something like an array for my keywords (or even a separate text document) that can be progressively scanned all the way through using each term within that document as a pattern for the regex, this way I might only have 2 conditions (one for the username, and one for password; both of which would be checked against the keyword source variable or document for certain phrases and or keywords). If there are any functions that can cycle through a given array in the fashion I speak of, what is it? I'm assuming I'll have to use a FOR EACH statement in the process, right?
I would appreciate any feedback or thoughts on this as I am trying to learn more about PHP security. I was advised to post this question in this forum as previously, I posted it within the general PHP section on accident.
As for the actual scanning / filtering process, though, are there any PHP functions that can help me do this without having to make multiple preg_match_all()s within OR statements?
This is an example of where I'm heading:
Code: Select all
if(substr($form_username,0,6) == 'select' || substr($form_password,0,6) == 'select' || ...){
$bad_ip = getenv("REMOTE_ADDR");//log ip and do some things with it...
header('Location: index.php');//if bad guy...
...
I would appreciate any feedback or thoughts on this as I am trying to learn more about PHP security. I was advised to post this question in this forum as previously, I posted it within the general PHP section on accident.