homepage Welcome to WebmasterWorld Guest from 54.211.230.186
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Sending a preg replace replacement value to a function
TheAlbinoEthiopian

5+ Year Member



 
Msg#: 3658784 posted 9:19 pm on May 25, 2008 (gmt 0)

Basically, I'm trying to make a secure bbcode system, and I'm unfamiliar with the preg_replace function. I've managed to get the basics of it working, but now I'm trying to secure it from being injected with javascript, so I wrote a function that would check if a url started with [,...] ftp://, etc. Problem being, I can't call upon that function because it keeps sending '$1' to the function as a string rather than the value it gets replaced with.

$replace = array(
'<strong>$1</strong>',
'<em>$1</em>',
'<u>$1</u>',
'<a href="' . check_url('$1') . '">$2</a>',
'<a href="' . check_url('$1') . '">' . check_url('$1') . '</a>',
'<img src="' . check_img('$1') . '" />',
);

There's the relevant area of the code, can anyone help?

 

yumigator

5+ Year Member



 
Msg#: 3658784 posted 10:05 pm on May 25, 2008 (gmt 0)

Since variables beginning with numbers are reserved for regular expression purposes, you can't pass them to a function and use it as a replacement string.

The ones which aren't passed to a function (i.e. <strong>$1</strong>) are working as expected, right?

EDIT: The reason "$1" is being passed to the function is because you have it quoted. Since PHP doesn't allow variables beginning with numbers, it assumes that a $ followed by a number, in quotes, should be taken literally. If you would have passed it to the function without quotes, you would have gotten an "unexpected T_LNUMBER" error.

Even if the variable were a valid one, the quotes would still be unnecessary, since the variable is already a string.

TheAlbinoEthiopian

5+ Year Member



 
Msg#: 3658784 posted 10:21 pm on May 25, 2008 (gmt 0)

Yes, the others are working properly, and I originally had it unquoted, and got the T_LNUMBER error like you said. Is there any way to pass it into the function, or possibly a way to make sure it begins with http:// (or others) without using a function? I'm trying to make a preemptive strike against XSS on my site, so I really need to disable it in images at least.

yumigator

5+ Year Member



 
Msg#: 3658784 posted 10:30 pm on May 25, 2008 (gmt 0)
Assuming your bbcode works something like

[url=http://foo.com]something here[/url]

why not just replace all instances of "/\[url=javascript:.*\].*\[url\]/" with a "link removed" text or something? That will weed out any bad links.

Following that, you then replace the remaining legitimate links with <a> tags.

Keep in mind that my regex may be bad because I don't know if some characters should be escaped (and I didn't bother looking it up), so you should write your own. Also, that would obviously only removed the javascript links.

You could do a similar thing for img tags.

TheAlbinoEthiopian

5+ Year Member



 
Msg#: 3658784 posted 10:44 pm on May 25, 2008 (gmt 0)

Hmmm, I actually never thought of that, guess I was making it more difficult on myself than need be. Thanks for the help!

Little_G

5+ Year Member



 
Msg#: 3658784 posted 10:44 pm on May 25, 2008 (gmt 0)

Hi,

Have you tried using the e modifier [php.net]?
There's an example in the documentation [php.net].

Andrew

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved