Page 1 of 1

Regex and using an array as pattern?

Posted: Wed Dec 31, 2008 8:05 am
by Wolf_22
I have some input that I wish to filter against a number of keywords and phrases in order to increase security against bad guys. For example, if someone accesses my login page, I would have that input first be checked against the word "select", and then maybe something like the equals sign or the string "<?php", etc. Before I continue, though, is this even a good idea? With the exception of losing that one or two users who might use a username with the word "select" in it or whatever, I thought that the added security gained would be better than the loss. What are some other strings I might check for if this is a good idea?

As for the actual scanning / filtering process, though, are there any PHP functions that can help me do this without having to make multiple preg_match_all()s within OR statements?

This is an example of where I'm heading:

Code: Select all

       if(substr($form_username,0,6) == 'select' || substr($form_password,0,6) == 'select' || ...){
            $bad_ip = getenv("REMOTE_ADDR");//log ip and do some things with it...
            header('Location: index.php');//if bad guy...
            ...
 
As you can see above, I would like to possibly use something like an array for my keywords (or even a separate text document) that can be progressively scanned all the way through using each term within that document as a pattern for the regex, this way I might only have 2 conditions (one for the username, and one for password; both of which would be checked against the keyword source variable or document for certain phrases and or keywords). If there are any functions that can cycle through a given array in the fashion I speak of, what is it? I'm assuming I'll have to use a FOR EACH statement in the process, right?

I would appreciate any feedback or thoughts on this as I am trying to learn more about PHP security. I was advised to post this question in this forum as previously, I posted it within the general PHP section on accident.

Re: Regex and using an array as pattern?

Posted: Wed Dec 31, 2008 8:28 am
by kaisellgren
list.txt
badword
badword2
badword3

Code: Select all

<?php
 
$array_of_bad_words = file('list.txt');
foreach ($array_of_bad_words as $badword)
 {
  if (stripos($username,$badword) !== false)
   echo "Bad word $badword found.";
 }
 
?>
That's the answer for your question about using arrays and loading from a file.

However, I do not recommend this at all. Using 'select' in a password/username does not mean he is a bad person or a cracker. What you should do is that you should properly escape the data.

Code: Select all

<?php
 
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
mysql_query("INSERT INTO `users` (`username`,`password`) VALUES ('$username','$password');");
 
?>
The above code will allow users to enter any text for their usernames/passwords as long as they are not too long for your database fields. Yet you have no security holes.

Re: Regex and using an array as pattern?

Posted: Wed Dec 31, 2008 8:58 am
by Wolf_22
Are there ways for someone to escape the input from the form input and THEN use the word "SELECT", etc., ?

...I mean BEFORE the submit of the value from the input...? Will the escape function even take care of that?

Re: Regex and using an array as pattern?

Posted: Wed Dec 31, 2008 9:12 am
by kaisellgren
Wolf_22 wrote:Are there ways for someone to escape the input from the form input and THEN use the word "SELECT", etc., ?

...I mean BEFORE the submit of the value from the input...? Will the escape function even take care of that?
If you look closer to the code I provided.

Code: Select all

('$username','$password');
The variables are enclosed within single quotes. So if the username is SELECT, then it becomes ('SELECT',... and so on. If the username contains single quotes, the escape function escapes the single quotes so it becomes \'.

Yes it is safe.