Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Stoimen Popov's Blog:
preg_match Give Names to the Matches
Jul 06, 2010 @ 16:01:48

In a quick post to hos blog today Stoimen Popov points out a handy feature of the preg_match function in PHP (in PHP 5.2.2 and higher) to be able to name the results of the regular expression match.

In PHP 5.2.2+ you can name the sub patterns returned from preg_match with a specific syntax. [...] This is extremely helpful, when dealing with long patterns. [...] Although it may look difficult to maintain, now you can simply name the sub patterns of preg_match and to call them with their associative array keys. This is more clear when writing code and it's definitely more maintainable.

The key is to use a special syntax as a part of the expression's pattern. This replaces the numeric keys of the matches with values you define, making it simpler to use the results (instead of having to work with numbers that don't match much of anything). Code and expression examples are included.

tagged: named result match pregmatch regularexpression

Link:

PHP Security Blog:
Holes in most preg_match() filters
Apr 04, 2007 @ 12:15:50

On the PHP Security Log today, Stefan Esser points out some holes in most of the filters using preg_match that he's seen in examples and the like all around the web. Some of these things could cause issues that could breach the security of your application.

During the last week I was performing some audits and like so often it contained preg_match() filters that were not correct. Most PHP developers use ^ and $ within their regular expressions without actually reading the documentation about what they really achieve.

However the problem is, that the author of such a regular expression did not correctly read the documentation and mistakes the $ character for the definitive end of the subject.

According to Stefan, the actual documentation for the $ character in a regular expression isn't quite used that way. It does mean "the end" of the match but it can also match against a newline as well. His suggestions? Use the /D modifier on the end of the expression to match the real "the end" and not how it might match otherwise.

tagged: security pregmatch filter match endofline clean security pregmatch filter match endofline clean

Link:

PHP Security Blog:
Holes in most preg_match() filters
Apr 04, 2007 @ 12:15:50

On the PHP Security Log today, Stefan Esser points out some holes in most of the filters using preg_match that he's seen in examples and the like all around the web. Some of these things could cause issues that could breach the security of your application.

During the last week I was performing some audits and like so often it contained preg_match() filters that were not correct. Most PHP developers use ^ and $ within their regular expressions without actually reading the documentation about what they really achieve.

However the problem is, that the author of such a regular expression did not correctly read the documentation and mistakes the $ character for the definitive end of the subject.

According to Stefan, the actual documentation for the $ character in a regular expression isn't quite used that way. It does mean "the end" of the match but it can also match against a newline as well. His suggestions? Use the /D modifier on the end of the expression to match the real "the end" and not how it might match otherwise.

tagged: security pregmatch filter match endofline clean security pregmatch filter match endofline clean

Link:


Trending Topics: