Are there any security issues if I run custom regex on my server with a custom input string? I do not ask about one language, but in any language really, with PHP as one of the main languages that I would like to learn about.
For example, if I have the code below:
<?php
if(isset($_POST['regex'])) {
preg_match($_POST['regex'], $_POST['match'], $matches);
var_dump($matches);
}
?>
<form action="" method="post">
<input type="text" name="regex">
<textarea name="match"></textarea>
<input type="submit">
</form>
Ensuring that this is not a controlled environment (i.e. the user cannot be trusted), what are the risks of the above code? If similar code is written for other languages, are there risks in these other languages? If so, which languages contain threats?
I already learned about the "evil regular expressions", however, no matter what I try to use on my computer, they seem to work fine, see below.
Php
<?php
php > preg_match('/^((ab)*)+$/', 'ababab', $matches);var_dump($matches);
array(3) {
[0] =>
string(6) "ababab"
[1] =>
string(0) ""
[2] =>
string(2) "ab"
}
php > preg_match('/^((ab)*)+$/', 'abababa', $matches);var_dump($matches);
array(0) {
}
Javascript
phantomjs> /^((ab)*)+$/g.exec('ababab');
{
"0": "ababab",
"1": "ababab",
"2": "ab",
"index": 0,
"input": "ababab"
}
phantomjs> /^((ab)*)+$/g.exec('abababa');
null
, PHP JavaScript . , , .
?
, , , , ?