Sending a preg replace replacement value to a function

Forum Moderators: coopster

Message Too Old, No Replies

Sending a preg replace replacement value to a function

TheAlbinoEthiopian

9:19 pm on May 25, 2008 (gmt 0)

Basically, I'm trying to make a secure bbcode system, and I'm unfamiliar with the preg_replace function. I've managed to get the basics of it working, but now I'm trying to secure it from being injected with javascript, so I wrote a function that would check if a url started with [,...] ftp://, etc. Problem being, I can't call upon that function because it keeps sending '$1' to the function as a string rather than the value it gets replaced with.

$replace = array(
        '<strong>$1</strong>',
        '<em>$1</em>',
        '<u>$1</u>',
        '<a href="' . check_url('$1') . '">$2</a>',
        '<a href="' . check_url('$1') . '">' . check_url('$1') . '</a>',
        '<img src="' . check_img('$1') . '" />',
        );

There's the relevant area of the code, can anyone help?

yumigator

10:05 pm on May 25, 2008 (gmt 0)

Since variables beginning with numbers are reserved for regular expression purposes, you can't pass them to a function and use it as a replacement string.

The ones which aren't passed to a function (i.e. <strong>$1</strong>) are working as expected, right?

EDIT: The reason "$1" is being passed to the function is because you have it quoted. Since PHP doesn't allow variables beginning with numbers, it assumes that a $ followed by a number, in quotes, should be taken literally. If you would have passed it to the function without quotes, you would have gotten an "unexpected T_LNUMBER" error.

Even if the variable were a valid one, the quotes would still be unnecessary, since the variable is already a string.

TheAlbinoEthiopian

10:21 pm on May 25, 2008 (gmt 0)

Yes, the others are working properly, and I originally had it unquoted, and got the T_LNUMBER error like you said. Is there any way to pass it into the function, or possibly a way to make sure it begins with http:// (or others) without using a function? I'm trying to make a preemptive strike against XSS on my site, so I really need to disable it in images at least.

yumigator

10:30 pm on May 25, 2008 (gmt 0)

Assuming your bbcode works something like

[url=http://foo.com]something here[/url]

why not just replace all instances of "/\[url=javascript:.*\].*\[url\]/" with a "link removed" text or something? That will weed out any bad links.

Following that, you then replace the remaining legitimate links with <a> tags.

Keep in mind that my regex may be bad because I don't know if some characters should be escaped (and I didn't bother looking it up), so you should write your own. Also, that would obviously only removed the javascript links.

You could do a similar thing for img tags.

TheAlbinoEthiopian

10:44 pm on May 25, 2008 (gmt 0)

Hmmm, I actually never thought of that, guess I was making it more difficult on myself than need be. Thanks for the help!

Little_G

10:44 pm on May 25, 2008 (gmt 0)

Hi,

Have you tried using the e modifier [php.net]?
There's an example in the documentation [php.net].

Andrew