Outils pour utilisateurs

Outils du site


web:preg_replace

On friday 21th march, we have given a look to a web challenge proposed by zenk security, which involves BBCode like markup.

We supposed that the chall is using the (virulent) e modifier to php's preg_replace function. Here is a working code snippet which evals the php code between two [code] and [/code] tags.

<?php
 
/* First sample */
 
# Sample from http://www.murraypicton.com/2010/11/using-phps-preg_replace-with-the-e-modifier/

$string = 'http://www.google.com and http://www.murraypicton.com';
$pattern = '!(http\://[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(/\S*)?)!e'; //Notice the 'e' modifier
 
$replacement = 'urlencode("$1")';
echo preg_replace($pattern, $replacement, $string); //Outputs "http%3A%2F%2Fwww.google.com and http%3A%2F%2Fwww.murraypicton.com"
echo "\n\n";
 
 
 
 
/***********************************************************************/
/*     Second sample using bbcode-like syntax with a code tag          */
 
 
 
$str = "[code]print(1+1);[/code]";
 
preg_replace(
      '!\[code\](.*?)\[/code\]!e',
      'eval("$1")',
      $str
);
 
echo "\n\n";
web/preg_replace.txt · Dernière modification: 2014/03/26 20:51 par fser