PHP Class Psecio\Parse\Rule\PregReplaceWithEvalModifier

With the e modifier set preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code, and uses the result for replacing the search string. This modifier is deprecated as of PHP 5.5 and use is highly discouraged as it can easily introduce security vulnerabilites. Example of failing code The following code can be easily exploited by passing in a string such as {${eval($_GET[php_code])}}
. This gives the attacker the ability to execute arbitrary PHP code and as such gives him nearly complete access to your server.

$html = preg_replace(
    '((.*?))e',
    '"" . strtoupper("$2") . ""',
    $_POST['html']
);

How to fix? Use the preg_replace_callback() function instead.

$html = preg_replace_callback(
    '((.*?))',
    function ($m) {
        return "" . strtoupper($m[2]) . "";
    },
    $_POST['html']
);

Inheritance: implements Psecio\Parse\RuleInterface, use trait Psecio\Parse\Rule\Helper\NameTrait, use trait Psecio\Parse\Rule\Helper\DocblockDescriptionTrait, use trait Psecio\Parse\Rule\Helper\IsFunctionCallTrait

Show file Open project: psecio/parse

Public Methods

Method	Description
isValid ( PhpParser\Node $node )

Method Details

isValid() public method

public isValid ( PhpParser\Node $node )
$node	PhpParser\Node