#1
  1. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,992
    Rep Power
    533

    Does this function have any security concerns?


    Does the following substitute function have any security concerns? Any recommendations how to make it better? I am currently using PHP 5.3.18, but will hopefully upgrade to 5.4 soon. Thanks

    PHP Code:
    static public function substitute($template$values$deliminator='{??}') {
        
    //Replaces occurrences of {?name?} with $values['name] if it exists in $values.  Deliminators can be changed
        
    $deliminator="\\".implode("\\",str_split($deliminator));
        
    $half = (int) ( (strlen($deliminator) / 2) );
        
    $pattern '/'.substr($deliminator0$half).'(\w+)'.substr($deliminator$half).'/';
        return 
    preg_replace_callback(
            
    $pattern,
            function (
    $matches) use ($values) {
                if (isset(
    $values[$matches[1]])) {
                    return 
    $values[$matches[1]];
                }
                return 
    $matches[0];
            },
            
    $template);

  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    secure in what sense? Where do you use this function? I mean, a string itself isn't "dangerous". But the way you use it can be dangerous. For example, the string "' OR 1 = 1" by itself is perfectly valid and doesn't hurt anyone. It's just a bunch of characters. But if you put it into a query, it can be used as an SQL injection.

    One appearent problem of your code is that you use home-made escaping instead of the native PHP function. In the case of regexes, this is preg_quote(). Also, putting a backslash in front of every single character (regardless of the actual character) is a pretty weird way of escaping and can lead to unexpected results.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,992
    Rep Power
    533
    secure in what sense?
    Sorry, I totally forgot to give the important information.

    $template and $values are both provided by the user (but not $deliminator or the keys of $values). For instance, I might have:

    PHP Code:
    $_POST=array(
        
    'template'=>'Hello {?yourname?}, my name is {?myname?}',
        
    'values'=>array('yourname'=>'Jacques1','myname'=>'NotionCommotion')
    ); 
    I have already taken care of any SQL injection concerns, but question my use of preg_replace_callback(). Previously, I was using $template_new= preg_replace('/\{\?(\w+)\?\}/e', '$fields["$1"]', $template); which uses the /e flag which I assume can be dangerous. Does that danger still remain? Thank you
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,992
    Rep Power
    533
    Hello again,

    Hoping to get an opinion other than mine on this.

    Given that $template and $values are both provided by the user, does my implementation pose any security risks?

    Thanks

IMN logo majestic logo threadwatch logo seochat tools logo