I have a question for people out there who are familiar with php security issues...
Let's say there's a configuration form that lets an administrator supply a preg_match() pattern. That pattern will be saved and later used to validate a user-supplied field on another form.
The intention is that this would only be available to a site administrator, but let's presume for the moment that there is no such restriction.
I understand, of course, that someone who doesn't understand preg_match() could easily generate a pattern that doesn't do what's expected. But I'll consider that the administrator's problem unless a bad pattern could bring the site down.
But can anyone think of a security hole this could introduce? Is there something in preg_match() that might let someone run some php, or access the file system, or something else equally nefarious? I've done some web searching and haven't found anything, but want to be sure.