{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《Is it safe to use user's RegEx?》','https://www.manongdao.com/q-552169.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to add a feature to my website to let users search the texts with RegEx. But, is it safe to let the users do something like that ?
preg_match('/' . $user_input_regex . '/', $subject);
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
Security wise you should never trust user input, so it depends what you do with the input. In your given case you should at least escape the used delimiter (backslash) in the user input to ensure the regex works.
There is a possible attack on this code called a ReDoS attack (Regular expression Denial of Service).
Specifically with
preg_matchthere is a known issue that can cause a PHP Segmentation Fault.So the answer is no, it is not safe because of issues such as these.