200 Days of Code, Beginner Track, Month 5

Post on 22-Jan-2018

161 views 3 download


Chapters 12, 13, 14

Ryne McCall

(a little) Security

Regular expressions

Unicode (maybe)







Security ==


OWASP top ten•A1-Injection

•A2-Broken Authentication and Session Management

•A3-Cross-Site Scripting (XSS)

•A4-Insecure Direct Object References

•A5-Security Misconfiguration

•A6-Sensitive Data Exposure

•A7-Missing Function Level Access Control

•A8-Cross-Site Request Forgery (CSRF)

•A9-Using Components with Known Vulnerabilities

•A10-Unvalidated Redirects and Forwards

Regular expressions


•What are they?

•Best practices



–Larry Wall

“...we saw how everyone borrowed Perl

5 compatible regular expressions, and

we figured - well, you know, they're a

real big mess, and we're sorry, but

we're changing them now, now that

you've just borrowed them.”

What are they?

PCRE functions•preg_filter — Perform a regular expression search and replace

•preg_grep — Return array entries that match the pattern

•preg_last_error — Returns the error code of the last PCRE regex


•preg_match_all — Perform a global regular expression match

•preg_match — Perform a regular expression match

•preg_quote — Quote regular expression characters

•preg_replace_callback — Perform a regular expression search and

replace using a callback

•preg_replace — Perform a regular expression search and replace

•preg_split — Split string by a regular expression

PCRE functions•preg_filter — Perform a regular expression search and replace

•preg_grep — Return array entries that match the pattern

•preg_last_error — Returns the error code of the last PCRE regex


•preg_match_all — Perform a global regular expression match

•preg_match — Perform a regular expression match

•preg_quote — Quote regular expression characters

•preg_replace_callback — Perform a regular expression search and

replace using a callback

•preg_replace — Perform a regular expression search and replace

•preg_split — Split string by a regular expression

preg_matchint preg_match (

string $pattern ,

string $subject

[, array &$matches]




/app/A. foo

B. bar

C. apple

D. app

/app/A. foo

B. bar

C. apple

D. app

/a|b/A. a

B. b

C. ab

D. x

/a|b/A. a

B. b

C. ab

D. x

/a+/A. a

B. aaa

C. baaab

D. b

/a+/A. a

B. aaa

C. baaab

D. b

/a*/A. a

B. aaa

C. baaab

D. b

/a*/A. a

B. aaa

C. baaab

D. b

/^app$/A. foo

B. bar

C. apple

D. app

/^app$/A. foo

B. bar

C. apple

D. app

/^ab?c$/A. aac

B. abc

C. ac

D. acc

/^ab?c$/A. aac

B. abc

C. ac

D. acc

/^a.c$/A. aac

B. abc

C. ac

D. acc

/^a.c$/A. aac

B. abc

C. ac

D. acc




\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x2 2(?:[\\x01-




\\x7F]|(?:\\x5C[\\x00-\ \x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-



9][:\\]]){7,})(?:[a-f0-9]{1,4}(?: :[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-



9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9 ])|(?:1[0-9]{2})|(?:[1-9]?[0-


/[[:alpha:]]/ or /[A-Za-z]/A. a

B. b

C. c

D. -

/[[:alpha:]]/ or /[A-Za-z]/A. a

B. b

C. c

D. -

/^[[:alpha:]]+\d*$/A. abc123

B. a

C. ~abc123~

D. 123abc

/^[[:alpha:]]+\d*$/A. abc123

B. a

C. ~abc123~

D. 123abc

/a{2,4}/A. a

B. aa

C. aaaa

D. b

/a{2,4}/A. a

B. aa

C. aaaa

D. b


A. a0

B. a0xyz

C. 0a1b

D. a0b1xyz


A. a0

B. a0xyz

C. 0a1b

D. a0b1xyz


Best practices

– Jamie Zawinski

“Some people, when

confronted with a problem,

think "I know, I'll use regular

expressions." Now they have

two problems.”

/good text/A. good text; evil text

B. evil text good text

C. good text'; evil text

D. good text

/good text/A. good text; evil text

B. evil text good text

C. good text'; evil text

D. good text


