Welcome Guest, Not a member yet? Register   Sign In
Possible bug on validating array input field
#1

[eluser]Unknown[/eluser]
Hi, I'm a new user of CI so I hope the members from this forum can help me identifying something that possibly a bug on CI.

It's on form validation library. I think this bug only occur when someone submitting array field and processed using this library. You can try it by using the code from the user guide.

What to do to reproduce the bug is change username on the fieldname to username[] as an array input field on controller/form.php (and if you want, you may change the field name on views/myform.php)

Code:
<?php

class Form extends Controller {
    
    function index()
    {
        $this->load->helper(array('form', 'url'));
        
        $this->load->library('form_validation');
            
        $this->form_validation->set_rules('username[]', 'Username', 'required'); // I change this line from username to username[]
        $this->form_validation->set_rules('password', 'Password', 'required');
        $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required');
        $this->form_validation->set_rules('email', 'Email', 'required');
            
        if ($this->form_validation->run() == FALSE)
        {
            $this->load->view('myform');
        }
        else
        {
            $this->load->view('formsuccess');
        }
    }
}

This bug occurs when I submit a username with quotes and all fields successfully validated. One time I got a message like this Parse error: syntax error, unexpected T_STRING in /systemdir/libraries/Form_validation.php(458) : eval()'d code on line 1

I checked Form_validation.php (line 454) and found that the username field data is passed to $this->prep_for_form(). However when all validation success the $this->_safe_form_data is set to FALSE so the username[] data will be returned as what it passed (line 1202). Then the data is eval'd on line 458 which cause the PHP to raise a message telling that something wrong with eval'd data.

I can even inject a code like "; die(); // which cause nothing to show at success.

Can someone confirm if this is a bug or even possibly a security bug? Thanks.




Theme © iAndrew 2016 - Forum software by © MyBB