homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

RegEx Form Security Patterns
Is there a silver bullet?

10+ Year Member

Msg#: 4454086 posted 10:10 am on May 16, 2012 (gmt 0)

Hello All -

I'm writing a script that does the following:

1. takes $_POST vars from a guestbook and contact form
2. if any of the data contains URLs, "javascript:", HTML tags
3. all field data gets run through htmlentities and is quarantined pending admin authorization

I'm using preg_replace (not preg_match) to highlight the above characters via span pairs.

The regex patterns I'm using are catching anchor tags, http/https/ftp, the word "javascript:" and a few others.

while I guess this is a good start, would anyone be willing to share a comprehensive pattern that would catch most of the "bad stuff" thrown at html forms?

Thanks to all in advance

PS: some of the "bad" test strings I'm using contain: urls and links surrounded by square brackets.

What are these items?



WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4454086 posted 3:40 pm on May 16, 2012 (gmt 0)

Short answer to topic: no, there isn't.

Longer but simple place to start: accept only what you want and throw everything else away.

Here's one of many [webmasterworld.com] discussions on the topic that will help. (Die on patterns found.) The array mentioned there is an easy way to filter out what you decide you need to keep.

A better one [webmasterworld.com] (second to last post) that I use regularly, which includes some cool bits on email address validation and more importantly logging the input data. This is more useful than you can ever imagine it, it reveals "what they are up to." To use this you'll have to understand functions, and how to pass parameters to them and evaluate the result. It also refers to other functions you'll need to write (exit_prog_error([message]), for example.)


10+ Year Member

Msg#: 4454086 posted 1:35 am on May 17, 2012 (gmt 0)

Rockinbil -

Cool man, thanks very very much for the links!

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved