Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 7 of 7
  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    444
    Member #
    2801
    Hello

    I'm working on a search feature and I am thinking of allowing people to search using regular expressions: that is, they submit through a form a regular expression and it will be used to search a text file.

    My question is: what are the security implications of allowing users to submit regular expressions? Are there any potential code injections? Anything else?

    I feel comfortable allowing it, but I thought I would check first

    Thanks!
    eKstreme
    eKstreme.com - Free website tools!
    fontfox - free fonts Hand-picked quality fonts.

  2.  

  3. #2
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    I don't see anything especially wrong with it unless the implementation you use as security problems. The bigger question is how many people will actually know what a regex is when searching, let alone how to enter them. It may be simpler to provide some sort of visual form that builds the regex in the background.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  4. #3
    Senior Member
    Join Date
    Aug 2003
    Posts
    444
    Member #
    2801
    It's for my PHPCounter script: all plugins I have at the moment are really just search plugins that look for specific things. I also have a generic search plugin that allows basic searching.

    I take your point regarding the number of people knowing regexes. However, ideally, for the more experienced webmasters, a regex search facility should be provided to complement what I already have...

    And the implementation will be using preg_match() in PHP.
    eKstreme
    eKstreme.com - Free website tools!
    fontfox - free fonts Hand-picked quality fonts.

  5. #4
    Senior Member Brak's Avatar
    Join Date
    Apr 2003
    Location
    San Francisco, CA
    Posts
    3,413
    Member #
    1217
    Liked
    2 times
    The only security exploit would be ease of finding secure files with a regex. Double check what's in your index and you should be good to go.
    Kyle Neath: Rockstar extraordinare
    The blog | The poetry site | The Spore site

  6. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    444
    Member #
    2801
    Good point, but finding pages like that is already possible using the other plugins.
    eKstreme
    eKstreme.com - Free website tools!
    fontfox - free fonts Hand-picked quality fonts.

  7. #6
    Senior Member rosland's Avatar
    Join Date
    Jul 2003
    Location
    Norway
    Posts
    1,944
    Member #
    2096
    You're using this to place a search in A (as in singular) script-defined textfile?

    I can't see (depending on your implementation) how this could constitute a problem, unless the regex could alter the 'directional' script in any way.

    Depending on what type of information you store in that file, I can't see anyway anyone could exploit that?

    (If there is, please enlighten me, because that would be beyond my comprehension)
    S. Rosland

  8. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    444
    Member #
    2801
    My PHPCounter script stores website hit data in tab delimited text files, one line per hit. At the moment, you can search by "field" or a combination of fields using simple string matching.

    The new idea is to allow searching of each line using regular expressions. The file will be defined by the script (only taken from a set of text files in a set directory) and the preg_match() call is explicitly comparing the regex with a line in the file.

    Everyone commented on implementation. So the question becomes, what kind of implementation issues do I need to heed?
    eKstreme
    eKstreme.com - Free website tools!
    fontfox - free fonts Hand-picked quality fonts.


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 11:46 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com