I am working on a project. This project have a user interface that we wrote in PHP. In the management part, there is a form input where the user needs to enter a regular expression. As I know, I can not check if is a regex or not, because every string is a regex. What I want to do is check whether this input is proper or not? Which way I can do it?
Asked
Active
Viewed 156 times
2
-
2What do you mean by "harmful"? Do you want to check whether or not the string is a *valid* regex, or whether or not it's a *malicious* regex? – JJJ Feb 04 '12 at 08:00
-
1http://stackoverflow.com/questions/2371445/sanitization-of-user-supplied-regular-expressions-in-php – Jared Farrish Feb 04 '12 at 08:01
-
Well, I'd like to see a sample of a harmful regex. – JJJ Feb 04 '12 at 08:12
-
1@juhana: `^(a*a*)*$` is a classic. Try it on `aaaaaaaaaaaaaab` and watch your CPU burn. – Tim Pietzcker Feb 04 '12 at 08:38
-
@Tim, <0.02 sec (even with much longer string) in PHP/Perl. – Qtax Feb 04 '12 at 11:25
2 Answers
2
It's very hard to do this by analysing the regex (short of actually parsing the regex itself.
I suggest you rather use conservative settings for pcre.backtrack-limit and pcre.recursion_limit.
Tim Pietzcker
- 328,213
- 58
- 503
- 561
0
It really depends on what you expect the program to do. If you are writing a regex tester, you simply need to have another field where they can input a string to check it against. Then use String.test(/regex/) or String.match(/regex/) to see if it is good for that string.
James
- 3,765
- 4
- 48
- 79
-
It is not a regex tester, I am taking a regex from user and send it to a program that is written with python. – ibrahim Feb 04 '12 at 08:07