PHP preg_replace RCE

Asked Jun 18 '20 at 18:16

Active Jun 18 '20 at 18:16

Viewed 129 times

I was building a code to sanitize user's input but while doing some searches on google i found out that the function that i used (preg_replace) can lead to remote command execution.

However my code is different from the ones that i found on google and stackoverflow

Is it still RCE'able?

    function ft($a,$b=""){
    $a = preg_replace("/[^a-zA-Z0-9".$b."]/", "", $a);
    return $a;
}

function fo($a){
    $a=ft($a,".@_-");
    return $a;
}


$test = $_GET["input"];
$func = fo($test);

asked Jun 18 '20 at 18:16

Eric Damere

What did you read online, what code in particular can cause issue? – Unbranded Manchester Jun 18 '20 at 18:35
@UnbrandedManchester https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace – Eric Damere Jun 18 '20 at 18:44
1

What you read is outdated. `e` is deprecated. You can't execute any code with `preg_replace` – Wiktor Stribiżew Jun 18 '20 at 18:54

PHP preg_replace RCE

0 Answers0