$_GET['user'] security vulnerability in PHP

Question

I'm posting it for a clarification in a specific situation, though user input sanitization/validations is a cliche subject.

A section of the code contain

$haystack=$_GET['user'];

$input is never used for 'echo' or 'print' or in any SQL query or in any such thing. The only further use of the user input ( $haystack ) is to check if the string contains a predefined $needle.

if (preg_match($needle,$haystack)) {
$result="A";
} else {
$result="B";
}

My worry is the execution of a malicious code, rather than the presence of it in the user input.

So the question is, if the user input is used only in the context (no usage in echo,print,SQL etc) mentioned above, is there still a possibility of a malicious code in the user input get executed.

I wanted to add the security measures that is just required for the context than overdoing it.

Answer 1

If used only in the context, there's no way to execute malicious code from the user input.

You should be careful with eval, preg_replace (with modifier e, thanks Pelshoff), database queries and echo (& print, sprintf…).

Answer 2

While the $haystack may not be reflected, it can obviously affect program flow. The (extremely short) code you posted certainly doesn't look directly vulnerable, but not sanitizing your input may enable code execution in conjunction with other vulnerabilities.

Answer 3

preg_match won't end up executing your input. It's too simple and straightforward to have a hidden exploitable bug. If you toss $haystack after running preg_match on it, then it can't possibly hurt you.

Answer 4

Its not possible to just execute arbitrary code by being able to alter a string. Only when you output the string directly, or use it in SQL should you be really worried.