In the CodeIgniter PHP framework, there is a function that automatically runs on each request that, among other things, filters the GET/POST/COOKIE array keys, and kills the application if it encounters characters it deems unsafe.
To prevent malicious users from trying to exploit keys we make sure that keys are only named with alpha-numeric text and a few other items.
Something like:
// foreach GET/POST/COOKIE keys as $str...
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters.');
}
For example, this will trigger if you accidentally post something like <input name="TE$T"> or have a query string like ?name|first=1.
I can see this being a good way to enforce common sense key names, or catch mistakes while developing an application, but I don’t understand: How can a malicious user possibly “exploit keys” in $_POST data for instance? Especially since (I would assume) input values are just as exploitable, what is this actually preventing?
Your question, in itself, brings up a good point: it’s unclear what exactly you’re being protected against. But there are some popular items it could be addressing:
But other than those, I really can’t think of why you’d always why you’d want to generally protect via
preg_match("/^[a-z0-9:_\/-]+$/i", $str).I’ve got the feeling that they’re overprotecting simply because CodeIgniter is so widely used that they need to protect against things they themselves haven’t thought of yet for the sake of their users who may be even less-aware of such attacks than CodeIgniter’s developers.