SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    730
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Good Preg Match Standards?

    Hi,

    I have been using the following preg match to ensure only correct email addresses are used. However it allows name@company to be entered.

    Are there solid and reliable preg matches which should be used for email and standard data input such as name and company name.

    How can I prevent someone from injecting code into the DB?

    Code:
      if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) {
            $error = "The email you entered is not valid.";
        }

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,813
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    Instead of using preg_match, check out the first example on filter_var on this page http://us3.php.net/manual/en/function.filter-var.php
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  3. #3
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    730
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks, I have seend that but I dont understand it. I cant see what it does or how to use it.

    What code should I use for proper emails and to stop code injection.

  4. #4
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,813
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    So the first example has
    PHP Code:
    var_dump(filter_var('bob@example.com'FILTER_VALIDATE_EMAIL)); 
    So you can use
    PHP Code:
    $emailAddress filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
    if (!
    $emailAddress)
    {
      
    $error 'Invalid E-mail Address';

    It will validate and ensure only valid characters are used for an e-mail address. You can then use PDO (prepared statements) or mysql_real_escape_string to ensure a sql injection isn't still possible.
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  5. #5
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    730
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Brilliant thanks that worked perfectly.

    This is all the code I have complete for email insertion. I have the mysql_real_escape_string on the email post. Is there anything else I need to add to make it safe.

    Is pregmatch outdated, are there any special characters I should reject?


    Code:
       
      $emailaddress = mysql_real_escape_string(trim($_POST['emailaddress']));
    
    
     if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
            $error = "You need to enter an email.";
        }
    
        $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
        if(mysql_num_rows($query) > 0 && !$error) {
            $error = "Sorry, that email is already in use!";
        }
    	
    $emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
    if (!$emailAddress)
    {
      $error = 'Please enter your email address in a valid format.  Example: bobsmith@companyname.com';
    }

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,813
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by justlukeyou View Post
    This is all the code I have complete for email insertion. I have the mysql_real_escape_string on the email post. Is there anything else I need to add to make it safe.
    No, that is the purpose of mysql_real_escape_string to handle those situations.

    Quote Originally Posted by justlukeyou View Post
    Is pregmatch outdated, are there any special characters I should reject?
    No, preg_match isn't outdated, PHP is just adding helper functions for the most common scenarios in the recent versions of PHP. The filter_var for email validation handles all special characters for you.

    Quote Originally Posted by justlukeyou View Post
    Code:
       
      $emailaddress = mysql_real_escape_string(trim($_POST['emailaddress']));
    
    
     if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
            $error = "You need to enter an email.";
        }
    
        $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
        if(mysql_num_rows($query) > 0 && !$error) {
            $error = "Sorry, that email is already in use!";
        }
    	
    $emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
    if (!$emailAddress)
    {
      $error = 'Please enter your email address in a valid format.  Example: bobsmith@companyname.com';
    }
    You should really move the last validation you have for e-mail address above your check to see if the e-mail is already in use, so you are not querying on an email address that isn't in a valid format.
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  7. #7
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    730
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks,

    I have made the final change. Is their a filter for standard text. So if asked for someones name they cannot inject code.

    Should I use FILTER_VALIDATE_REGEXP for that?

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,813
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    Yes you could do that. You should still use mysql_real_escape_string as apostrophes are still usually allowed for last names such as O'Brien, etc.
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  9. #9
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:


    Apparently, this is the regular expression used by PHP for e-mail addresses:

    Code:
    /^(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){255,})(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){65,}@)(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22))(?:\.(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\]))$/iD
    o_O

    Off Topic:


    Fun fact: While trying to submit this, I kept getting an error message, saying that I'm not allowed to have 27 images in a post!

    O_o



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •