ereg/eregi for file name security

cnperry

I'm just starting to learn regular expressions as part of learning to code more securlely.

The PHP documentation (http://www.php.net/manual/en/security.filesystem.php) says to try the following code in an example:

if (!ereg('^[^./][^/]*$', $userfile))
die('bad filename'); //die, do not process

I think I have the above example working fine, but I was wondering if that code would be as useful as, if not more than, the following regex (this one I made):

if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*(\.[a-z0-9]{2,4})*$",$file_array[$aa])) some_function();//do something with the file
else die('bad file');

Am I approaching this correctly or are there still some holes missing in my learning? Are there other or better ways to prevent cross-site scripting and other evils using various regex's?

Thanks!
Cameron

uffis

For preventing cross-site scripting, your best bet would be to use the functions htmlspecialchars and strip_tags before outputting any user input. In addition to them, you could use some regular expressions to have a stricter validation of input.

I would also suggest using Perl-compatible regular expressions, i.e. the preg_ functions, which are usually much faster than the ereg functions.

What are you using filenames for?

Check that the filenames are not outside the webroot or outside the user's directory. Other than that, the answer depends on your purpose of using files.

cnperry

I'm making a site that for users to submit photos and digital artwork for a contest.
I have it set up this way: the user enters first/last names and contact details. The script creates a folder in a "submissions" directory as first_lastname/ and the images s/he uploads are copied into that directory. All the personal info gets written to a log file in addition to the names of the files uploaded, etc.

{{At the beginning of the script I set a hard-coded $submission_path variable to be the location to where submissions are place. Insidethe $submission_path directory I create the $first_lastname directory, then copy the uploaded files to $submission_path."/".$first_lastname."/".$filename }}

Once the submission period is over, judges will be able to view the images in their browser windows. That script will just grab the file name from a directory listing.

Because user input is being written into files on the server, I can see how there's potential to insert malicious script into the various form fields. In my situation, it seems like a combination of the preg_match and strip_tags will work best. What do you think

Thanks!
Cameron