tags:

views:

148

answers:

3
+2  Q: 

preg_match for <?php, <?, and/or ?>

Hello guys, I'm not very familiar with regEx's and I'm trying to find a preg_match regex for searching for any of the following strings within a file and if found it will halt it. I already have the fopen and fgets and fclose setup I just need to use a regex inside of a preg_match for the following php tags:

<?php <? ?>

so if preg_match returns 1 than this will skip this file and not upload it. I am using the $_FILES array to upload it via post, so I'm hoping I can use the $_FILES['file']['tmp_name'] variable for this to read through the file.

Thanks for your help with this :)

EDIT

if (in_array('application/x-httpd-php', $files[$filid]['mimetypes']) && ($_FILES[$value]['type'][$n] == 'application/octet-stream' || $_FILES[$value]['type'][$n] == 'application/octetstream'))
{
    $file_extension = strtolower(substr(strrchr($_FILES[$value]['name'][$n], '.'), 1));

    if ($file_extension == 'php')
    {
        // Reading the current php file to make sure it's a PHP File.
        $fo = fopen($_FILES[$value]['tmp_name'][$n], 'rb');
        while (!feof($fo))
        {
            $fo_output = fgets($fo, 16384);

            // look for a match
            if (preg_match([REG EX HERE], $fo_output) == 1)
            {
                $php = true;
                break;
            }
        }
        fclose($fo);
    }
}

OK, I apologize, but actually, what I am doing is I need to find a PREG MATCH. Because if it is a PHP FILE, I need to set the MIME TYPE to: application/x-httpd-php within the database. BECAUSE I'm also allowing PHP Files to be uploaded as well in certain instances. So hopefully the code I posted above makes more sense to you all now.

Can someone please help me with a preg_match regex for this please?

+1  A:  
/(?:<\?(?!xml)|\?>)/

(15 chars)

kemp  2010-05-30 15:49:11
No need to test for `<?php` as `<?php` will already be matched by `<?`.
Gumbo  2010-05-30 15:52:42
Ok, so how would I change this for only `<?` and `?>` strings than?
SoLoGHoST  2010-05-30 15:56:33
You would simply remove the center block, leaving you with /(?:<\?|\?>)/
ABach  2010-05-30 16:03:58
True, that was silly
kemp  2010-05-30 16:07:22
Matches `<?xml` as well..
Matt  2010-05-30 16:12:49
@Matt: yes, but that's what the OP asked
kemp  2010-05-30 16:14:00
@kemp - strictly speaking, OP asked to only match PHP tags
Matt  2010-05-30 16:15:25
Ouch, yeah, is there a way to match PHP Tags only? So really, it should check for a space at the end of this or make sure that this is the only string in this... So we should be able to derive a solution to this, as it needs to match `<?`, `<?php`, or `?>` ONLY.
SoLoGHoST  2010-05-30 16:16:29
So, I suppose you'll need to match `<?php` directly than as well as all of the other possible php tags, guess that's the only way. But how?
SoLoGHoST  2010-05-30 16:23:17
You can discard the `xml` possibilty with a negative lookahead (edited now). If you look for PHP stuff you also have to consider `<?=`
kemp  2010-05-30 16:26:14
So there's no way to make a regex for a perfect match of `<?` or `?>` or `<?php` ONLY?
SoLoGHoST  2010-05-30 16:29:18
Well ONLY `<?` is tricky, as it depends on what follows it. `<?$var` is PHP, `<?xml` is XML.
kemp  2010-05-30 16:33:06
Sorry, after testing this approach even further, I see it doesn't work after all. Thanks anyways, but I have decided to use another approach... arggg
SoLoGHoST  2010-05-30 21:00:54
+2  A: 

If you want to parse the file, try the following instead:

function containsPhp($file) {
    if(!$content = file_get_contents($file)) {
        trigger_error('Not a file');
        return false;
    }
    foreach(token_get_all($content) as $token) {
        if(is_array($token) && in_array(current($token), array(T_OPEN_TAG, T_OPEN_TAG_WITH_ECHO))) {
            return true;                
        }
    }
    return false;
}

... besides checking for a php extension (php, php5, phtml, inc etc).

chelmertz  2010-05-30 16:31:36
Ok, I don't know what's going on here, but I just uploaded an XML file using this approach after changing the file extension from .xml to .php. So this doesn't work at all.
SoLoGHoST  2010-05-30 19:05:41
And when I upload other files, for example .zip files, I get this error about 100 times at the top of my page: `Warning: Unexpected character in input: '' (ASCII=5) state=1 in` and the ASCII changes to equal different values for each error, but all errors point to this line: `foreach(token_get_all($content) as $token) {`
SoLoGHoST  2010-05-30 19:09:47
This approach sucks. The fact that it got 2 up votes was incredible and a poor vote from the people who did this. No offense, but like I said, changing the filename from .xml to .php returns this as being TRUE! I've never seen 1 instance where using the token_get_all() actually returned positive results.
SoLoGHoST  2010-05-30 19:23:47
My testcase was based on 3 .php-files, one which included `<?= 'hello' `, one with `<?php echo 'hello` and one with `hello`, they all returned correct values. If your xml file included `<?` then it's probably matched against an opening php-tag (which you'd hit with your regexp anyways). You could probably add more xml/zip/etc tests to blacklist.
chelmertz  2010-05-30 20:05:05
My XML file had <?xml in it only.
SoLoGHoST  2010-05-30 20:09:36
For example: `<?xml version="1.0" encoding="utf-8" ?>` That's it, and this returned TRUE!
SoLoGHoST  2010-05-30 20:10:39
I really really would like to use this approach, but it's a shame it doesn't work. arggg. Thanks anyways.
SoLoGHoST  2010-05-30 21:02:33
It will actually match anything containing those tags so it's just for whitelisting php and not blacklist anything else. Sorry bro. See http://php.net/manual/en/tokens.php
chelmertz  2010-05-30 21:12:17
I don't even know what whitelisting and/or blacklisting even means... lol
SoLoGHoST  2010-05-30 21:26:31
Whitelisting = disallow everything but X, Y and Z; blacklisting = allow everything but X, Y Z. Think of spam filters with emails from your contacts (whitelisted) vs emails containing bad words (blacklisted). Or file inclusion: only allow your specified actions (whitelisting), vs disallowing every dangerous action (blacklisting, very hard to hit all those cases so whitelisting is a better choice here).
chelmertz  2010-05-30 22:17:10
+1  A:  
\?>|<\?((?=php)|(?!\w))
ZyX  2010-05-30 18:02:44

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases