--- "Richard A. DeVenezia" <[EMAIL PROTECTED]> wrote:
> I accept a regex search term posted from a form, but I use $_REQUEST,
> so a person could throw the search term on the url if they wanted to.
>
> Am I open to any security breaches?
>
> $search_term = isset ($_REQUEST ['search']) ? $_REQUEST ['search'] : '';
> if ($search_term != "") {
> ...
> $contents = join ("", file($file));
> if (preg_match ("/$search_term/i", $contents)) {
> }
> ...
> }
Although I can't think of a specific vulnerability for this, it is a bad
practice to directly use data from the client without validating it in any
way prior.
Imagine that a random user can sit down at your desk and edit this script,
except that he can only enter code where you have $search_term in your
example above. Each time he makes a change, he executes this script to see
the result. Now, imagine that he spends day after day trying to figure out
something that he can use to compromise your script or cause it to
misbehave in some way. Now imagine that there are thousands of people all
doing this, day after day. Would you feel comfortable allowing them to
edit your code (even just this one part) and be able to test each change,
or would you rather have a look at what they entered before running the
script each time?
Hopefully you would rather make sure they entered something that looks
like a valid regular expression. Your code can take this same approach.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
