Search the Community

I have a security question. Though I have gone through OWASP docs I still need to place specific things in the right perspective. It is actually quite brief regarding examples. But regarding security, I have to admit that I dont know much about how hackers are operating. What I know is that javascript can be included and mysql injection can be done if you don't escape well. I have a piece of regex to allow as much characters as possible for password input. So also the <> the dot . and the semi-colon ; and the string. After forcing the user to use the right characters the password is encrypted with blowfish. Im actually not sure what happens, because if you encrypt malicious code, you can finally make it work again when you decrypt it. Probably its naive to ask online for hacking examples, because then you inform hackers. Maybe if you cant make up any risky situation, you can give a recommendation for which characters should be avoided for a password input. All input is encryted with password_verify / Blowfish. Then prepared OOP queries store the variable in the database. regex: $var='/[!@#$%^&*()\-_=+{};:,<.>]/'; then the preg_replace does: if(preg_match_all($var,$pas_inp, $o)<2) { echo '<br><br>input should contain at least 2 special chars , try again'; return FALSE; } How risky (in which possible situations) is the use of: < > . ; $ & regarding javascript, mysql injection and other possible hacks. (sorry it is a very open question, but to avoid problems I have to start somewhere)

Hi all, I have a problem for sanitizing / validating a web address input. My personal favor is doing it with regex. I made a simple example with preg_replace <?php if (!empty($_POST['wbddrss']) ) { $wbddrss = $_POST['wbddrss']; $wbddrss = trim($wbddrss); var_dump($wbddrss); $validate = preg_replace('/<>/' , '', $wbddrss); var_dump($validate); } ?> But I would like to replace all chars that do not meet what is allowed. I guess the best solution would be to replace everything with a caret to negate. But it seems I cant find the right delimiters. This is the range of characters I would like to allow: A-Za-z0-9+&@#/%?=~_|!:,.;\(\) how is this done in a preg_replace function?

I want to use preg_replace to input only a-zAZ with a limit of 30 characters I have a piece of code I used before but it works with preg_match. example function: <?php // input form to get the name // use the function here $name = valid_name($name); // function to validate name input function valid_name($data){ $data = ltrim($data); $data = rtrim($data); $data = preg_replace("/^(?:[A-Za-z][A-Za-z\-]{2,30}[A-Za-z]|[A-Za-z])$/", '' , $data); return $data; } ?> To give an impression of how I use it; a part of the confirmation form <html> <form action="mypage.php" method="post"> <p><input type="text" name="name" value="<?php echo $name; ?>" STYLE="background-color: #708DCC; color: white; height: 20px; width: 200px; border: none; font-size: 14px;" readonly ></p> <!-- rest of the form --> </html> The problem is in the preg_replace part. an input with chars like: ^&$ etc is not replaced, how to do this? if anyone can help I would be really happy.

I have a thing I dont get. I found this regex part to check for correct subdomains. function check_subdomain($data){ if (!empty($data)){ $data = preg_match("/^(?:[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]|[A-Za-z0-9])$/", $data); return($data); } else { } } echo check_subdomain($data); but the strange thing is that echo check_subdomain($data) outputs the input and adds a 0 when wrong and a 1 when correct. why is this done and how to avoid it?

I don't seem to get my head around the reason why the following returns TypeError: Object.values is not a function var input = '[a docs/my_pdf.pdf|here§my_class#my_id][img imgs/myimg.jpg|Alt title][g Artificial Languages][lang]HTML, CSS, Sass, SMACSS, SVG[y]7[/y][/lang][/g][p]Yes[/p]'; var RegEx = { 'tagClass': { '\§\s*(.+?)\s*[\§\|\]\#]': ' class="$1"' }, 'tagId': { '\#\s*(.+?)\s*[\§\|\]\#]': ' id="$1"' }, 'tagAlt': { '\[img.+?\|\s*(.+?)\s*[\§\|\]\#]': ' alt="$1"' }, 'tagTitle': { '\[a.+?\|\s*(.+?)\s*[\§\|\]\#]': ' title="$1"' }, 'tagSrc': { '\[img\s*(.+?)\s*[\§\|\]\#]': ' src="$1"' }, 'tagHref': { '\[a\s*(.+?)\s*[\§\|\]\#]': ' href="$1"' }, 'tagAngleBrackets': { '\[(\/?)(.+?(?=[\]]))\]?': '<$1$2>' } }; for (var tag in RegEx) { input.replace(new RegExp(Object.keys(RegEx[tag])[0], 'g'), Object.values(RegEx[tag])[0]); }

How should I validate 'wrong' or 'fake' protocols? Not sure how to explain this. I mean type mismatches like gttps : // but also random chars like qwerty : // should be validated. So chars before : // ( placed spaces in the protocols above else I wasnt possible to post it here) How to do this with regex php?

Hi there I'm looking for a way to strip multiple backslashes. I'm able to strip up to 7 backslashes. This is my code: $url = stripslashes($url); $url = stripslashes($url); $url = stripslashes($url); You read it well, I used it 3 times. I know the backslash is a delimiter so it is necessary to use it 3 times to strip one slash. But my goal is (like with other characters) to strip all. How is PHP handling this?

I am trying to process a string which contains various data relating to an elearning record; Moodle SCORM suspend_data if you're familiar with it Since I do not have access to server side SQL/CLR functions through the Moodle interface, I am attempting to reference, and extract, the relevant information from the string by explicitly referencing the character locations of the information I need in the string and then converting them as required so they can be summed e.g. SELECT prefix_user.username,........ ((CASE(SUBSTRING(value_rep,237,1)) WHEN 'c' THEN 1 ELSE 0 END) + ........(CASE(SUBSTRING(value_rep,3659,1)) WHEN 'c' THEN 1 ELSE 0 END)) AS "# Videos watched"........FROM ((prefix_user LEFT JOIN (SELECT prefix_scorm_scoes_track.userid, Replace(value,"''","'XX'") AS value_repFROM prefix_scorm_scoes_track WHERE (((prefix_scorm_scoes_track.element)='cmi.suspend_data'))) AS vid ON prefix_user.id = vid.userid The string contains multiple occurrences of the string patterns '','n' and 'nn' where n is any digit 0-9 which I need to replace with the same string pattern e.g. 'XX', so that the total length of the string as a whole remains the same. I Initially thought that the pattern would always exist as '' or 'nn' so it was relatively simple to use a REPLACE(value,"''","XX") I understand it's not possible to use regex in the REPLACE function and have been investigating the use of PATINDEX with STUFF, but understand this is inly suitable for operating on 1 occurrence of a pattern. The report can be output to a CSV for viewing in Excel, so my conclusion is currently to carry out post-processing with Excel VBA where I will have access to loops and other functions. Is what I am trying to achieve possible without the use of a function on the SQL server?

I'm trying to write some regex's for some input validation I need to do in an app, and while I can achieve the results I want, I wondering if I can combine or refine the couple regex's I am using to validate the input types I need. 1) Input Type - ID Rules * must start with a letter or number * can contain only letters, numbers, -, ., _, * be between 4 and 15 characters. Should Pass * j.smith_33- Should Fail * aa * jsmith1234567890 * -abc12 Implementation var allowedLength = inputToTest.length >= 4 && inputToTest.length <= 15 ? true : false; if(/^[A-Za-z0-9-_.]+$/.test(inputToTest) && /^[A-Za-z]/.test(inputToTest) && allowedLength){ //passed validation} 2) Input Type - Password * Passwords must be 6-32 characters. * At least one number must be included. Should Pass * abc1-. Should Fail * aabb * bbbcccd * 1234567890ASDFGHJKLQWERTYUIOPZXCV Implementation var allowedLength = inputToTest.length >= 6 && inputToTest.length <= 32 ? true : false; if(/^[A-Za-z0-9-_.]/.test(inputToTest) && /d/.test(inputToTest) && allowedLength){ //passed validation} Any thoughts on trying to combine any of these? In particular would be adding the length requirement to one of these existing regexs. I've tried with playing around with the placement of {4,15} and {6,32} respectively with no luck.

hi everyone, i am currently having an issue with the following excerpt of javascript - particularly the "regular expressions not wanting to replace". case 19: // set where Prim_Att_Val document.getElementById("ajaxbg").style.visibility = "visible"; var val = document.form_services.where_primattval.options[form_services.where_primattval.selectedIndex].value; // new constraint var title = document.getElementById("table_results").tHead.children[1].title; // current constraints //salert("re = ^/[ AND]*" + quote(" `Prim_Att_Val` = ""+where["Prim_Att_Val"]+""") + "/g"); //salert("val = "+val); //salert("title = "+title); if (whereo["Prim_Att_Val"]==-1) { document.getElementById("table_results").tHead.children[1].title += ((wherecnt>0)?" AND":"")+" `Prim_Att_Val` = ""+val+"""; where["Prim_Att_Val"] = val; whereo["Prim_Att_Val"] = wherecnt; wherecnt++; } else { //salert(whereo["Prim_Att_Val"]); //salert(val); document.getElementById("table_results").tHead.children[1].title = title.replace(re = new RegExp("/"+quote("`Prim_Att_Val` = "" + where["Prim_Att_Val"]+""")+"/g"),(val!="")?"`Prim_Att_Val` = ""+val+""":val); if (!where["Prim_Att_Val"]) whereo["Prim_Att_Val"] = -1; salert(title); salert(re.toString()); salert("`Prim_Att_Val` = ""+val+"""); salert(whereo["Prim_Att_Val"]); where["Prim_Att_Val"] = val; } document.getElementById("ajaxbg").style.visibility = "hidden"; break; salert is a custom function which prints to a div at the top of the screen. same results could be achieved by calling alert, it's just neater with all the data being kept and new lines being written. what is the issue with line 680 - it is not replacing the values as expected? in case 13, it does however - this does not have the string inserted into the regular expression to search for... anybody, please help!

I'm so confused about this regex code for URL /\[([^\]]+)]\(([-a-z0-9._~:\/?#@!$&'()*+,;=%]+)\)/i I'm so confused about this.... What i don't understand is this ([^\]]+) Why this have double closing brackets ? Please help me....