Regular Expression (regex) error causes Function Vulnerability Analysis, regular expression regex

Source: Internet
Author: User

Regular Expression (regex) error causes Function Vulnerability Analysis, regular expression regex


Regular expressions have powerful string matching functions, making them popular in various programming languages! It is used to describe or match a series of strings that conform to a certain syntactic rule. Many of the regular expressions are just heard of this, and then search for it online. Very few people start to learn Regular Expressions and use the system to learn from the definition principle. Because it is too troublesome for beginners and contains many original characters. A long string of characters is a headache. Therefore, you are too lazy to learn. If you encounter problems, search for them online. For example, "email regular expression, mobile phone number regular expression, url regular expression ....." , We found a very interesting phenomenon. "How can I use a variety of mailbox regular expressions, and url regular expressions are also different?", all of them are recommended. They all say they are correct, which one is correct?

We can draw two conclusions from different regular expressions. I. Regular Expressions are flexible. Multiple methods can achieve the same result (all major paths are in Rome). II. Regular Expression matching results need to be verified. Complex regular expressions can easily produce incorrect matching. Today, I will not talk about the flexibility of regular expressions. Let's take a look at common regular expressions that are incorrectly used to generate functional vulnerability examples. Hopefully, we will pay more attention to it when using it. The following is an example of code review in my work. Examples are often displayed!

Keyword "^ $" missing bug

<? Php // check username. It can only contain characters and numbers $ user = "chengmo8"; if (! Preg_match ("<strong>/[0-9a-zA-Z] +/</strong>", $ user) {exit ("username error! ");}

This is very common because regular expression search does not have delimiters. It searches from the $ user string to the right of the string. The regular expression searches for matching characters that meet the condition, and returns true, and the program continues to run. Let's test. input the following Username: chengmo8, chengmo8 ??!, # $ Chengm and China cadadf can all be matched successfully. It seems that only characters and numbers are allowed. In fact, due to the lack of a regular expression with a qualifier, the character string can be registered as long as it contains letters and numbers. What we need is that the string from start to end must contain letters and numbers. The regular expression should be: ^ [0-9a-zA-Z] + $. It seems simple. Do not forget the ^ $ character when matching the start and end characters. Start with a matching input character and end with a matching input character (before the default line break)

This is often done, such as mobile phone number, email address, url, registered user name, and password. All must have a qualified symbol!

Character Bug in square brackets "[]"

In a regular expression, the common regular expression is the original character (.*? And so on) the square brackets will become common characters. The square brackets indicate special characters. Only the "^-\" character must be special characters. The "^" character indicates that it is not included in all the subsequent characters when the first character in the left square brackets is used!

For example, [^ 0] cannot be 0 characters. If it is: [0 ^], it indicates that it contains 0 ^ characters. Because: ^ is no longer the rightmost character of the left bracket. It is already the same as a normal word. The "-" character indicates a range character. For example, [0-9] indicates that the string matches 0 to 9 ." \ "Escape character. If you want to match the"-"character, you can [0 \-9]. If you want to match" \ ", it can be: [0 \ 9], it must be a string of 3 characters. In fact, many friends often make mistakes when using square brackets.

<? Php /// check the username. It can only contain characters and numbers $ code = ""; // The matching character range contains .*? Preg_match ("/[. *?] +/", $ Code); // The matching character range is a to z 26 characters preg_match ("/[a-z] +/", $ code ); /// the matching character range contains A to z. In fact, it is from the default ascii table, and the to z characters are in the middle, A total of 48 characters preg_match ("/[A-z] +/", $ code); // The matching character range contains A to z, which corresponds to the ascill code, hexadecimal preg_match ("/[x41-x7A] +/", $ code); // just want to match the string andpreg_match ("/[and]/", $ code ); /// actual match. All characters including a, n, and d are not related to the order.

Red is a frequent misunderstanding. Only matching and is required. Once added to the "[]" character, it can be understood that all characters constitute a character set. Any character in it can be matched. It is irrelevant to the order! If you really need to match this type, group by character, for example, "and | bnd" will match the and string or the bnd string ." | "Is a string or operator. Consecutive strings on both sides of the string are combined into a complete match.

Now, let's sort out the common Regular Expressions and two common errors. Welcome to our discussion!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.