Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Possible Duplicate:
Sanitization of User-Supplied Regular Expressions in PHP
Let’s say you want to let users search for something and your search function has the ability to accept regular expressions.
Is it OK to let site users to search by regexes that they post? From a user’s point of view, I’d love a site which would let me do that 😀
Is there any security risk involved? How can I sanitize a regex?
The main risk is that the regular expression is very complex and will run for ages or reach the recursion limit of the engine. See this article. Other risks may occur if you let your users user regex replacement in the wrong places, because that introduces the risk of code injection. But matching itself cannot really do any other harm than DoSing your server.
There has been a question recently on how to recognize these dangerous regexes and the consensus was that it is not generally possible. See the question.
You are probably best off by restricting the time your regex search can take and abort it if it takes too long.