0

I'm currently working on a website and want to prevent characters being inputted, i am using following code

if (!preg_match("/^[a-zA-Z0-9_!,()& -\/]*$/"

is it possible to exploit this and if so how? would like to know ways to prevent too please

thank

Anon
  • 1
  • 1
    Welcome. Can you please complete the code in your question? Inputted how? Form? Query string? What do you do in each code path? It's not possible to tell from what you've posted as to what risks you're exposed to... – brynk May 18 '21 at 07:04
  • input validation on POST form with – Anon May 18 '21 at 15:22

2 Answers2

1

No, match does not have an option to eval the capture group. However, depending on where that data is going your filtering is loose enough to allow exploitation of several bug classes in case you were using it as input validation.

wireghoul
  • 5,745
  • 2
  • 17
  • 26
  • 1
    hello, it uses input validation on POST form with . is that class as explotation with bug classes? – Anon May 18 '21 at 15:22
  • Vulnerabilities are very context specific so.without the entire code it cannot be determined. – wireghoul May 18 '21 at 22:03
  • it is a
    with type post and just an inside nothing else
     – Anon May 19 '21 at 00:26
  • @Anon What's on the client-side doesn't matter; a malicious client can input anything they want. What are you _doing_ with this input data? What happens _after_ it's matched? – JamesTheAwesomeDude May 20 '21 at 20:42
0

To answer your question, it depends what you're going to do with the input data.

From a security perspective:

If you're going to insert it in a SQL table, just make sure to escape it properly.

If you're going to use it in a bash function call, same, make sure to escape it properly.

Technically, if you escape it properly, you can allow any characters.

From a programming perspective:

If you're accepting a name, then you should look for name validation patterns.

If you're accepting a phone number, then you should look for phone number patterns.

You can find most of those answers on Stackoverflow.

Conclusion:

The ability to accept inputs securely is separate from the validation of the meaning of your data.

So you have two jobs to do for every field, validate that the input is proper for the expected field (e.g. phone, name, email, etc), and make sure to escape it properly when you pass it on to another system like a DB or BASH or other for storage or processing or other.

Wadih M.
  • 1,102
  • 6
  • 20