33 lines
791 B
Plaintext
33 lines
791 B
Plaintext
== How to fix it in Core PHP
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
$input = $_GET["input"];
|
|
|
|
error_log($input); // Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
$input = $_GET["input"];
|
|
|
|
if(preg_match("/[^A-Za-z0-9-_]/", $input)){
|
|
$safeinput = '[' . base64_encode($input) . ']';
|
|
}else{
|
|
$safeinput = $input;
|
|
}
|
|
error_log($safeinput);
|
|
----
|
|
|
|
include::../../common/fix/how-does-this-work.adoc[]
|
|
|
|
Here, the example compliant code uses the `preg_match` function to check if the input contains any unsafe character. In which case, the `base64_encode` function is used to prevent any injection while keeping the input original content.
|