News Feed
Jobs Feed
Sections




News Archive
PHP Security Blog:
Holes in most preg_match() filters
by Chris Cornutt April 04, 2007 @ 07:15:50

On the PHP Security Log today, Stefan Esser points out some holes in most of the filters using preg_match that he's seen in examples and the like all around the web. Some of these things could cause issues that could breach the security of your application.

During the last week I was performing some audits and like so often it contained preg_match() filters that were not correct. Most PHP developers use ^ and $ within their regular expressions without actually reading the documentation about what they really achieve.

However the problem is, that the author of such a regular expression did not correctly read the documentation and mistakes the $ character for the definitive end of the subject.

According to Stefan, the actual documentation for the $ character in a regular expression isn't quite used that way. It does mean "the end" of the match but it can also match against a newline as well. His suggestions? Use the /D modifier on the end of the expression to match the real "the end" and not how it might match otherwise.

0 comments voice your opinion now!
security pregmatch filter match endofline clean security pregmatch filter match endofline clean


blog comments powered by Disqus

Similar Posts

Zend: Webinar - PHP Security Basics (Nov 28th @ 9am PST)

Greg Beaver's Blog: Mac OS X ships with security hole-laden PEAR - how to upgrade immediately

PHP.net: PHP 4 end of life announcement

DevShed: Web Application Security Overview

Sameer Borate's Blog: Data filtering and validation using Inspekt


 Community Events











Don't see your event here?
Let us know!

development code introduction podcast api interview phpunit community composer language unittest functional zendframework2 testing series release opinion database example framework

All content copyright, 2013 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework