SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    731
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Good Preg Match Standards?

    Hi,

    I have been using the following preg match to ensure only correct email addresses are used. However it allows name@company to be entered.

    Are there solid and reliable preg matches which should be used for email and standard data input such as name and company name.

    How can I prevent someone from injecting code into the DB?

    Code:
      if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) {
            $error = "The email you entered is not valid.";
        }

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,214
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Instead of using preg_match, check out the first example on filter_var on this page http://us3.php.net/manual/en/function.filter-var.php

  3. #3
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    731
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks, I have seend that but I dont understand it. I cant see what it does or how to use it.

    What code should I use for proper emails and to stop code injection.

  4. #4
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,214
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    So the first example has
    PHP Code:
    var_dump(filter_var('bob@example.com'FILTER_VALIDATE_EMAIL)); 
    So you can use
    PHP Code:
    $emailAddress filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
    if (!
    $emailAddress)
    {
      
    $error 'Invalid E-mail Address';

    It will validate and ensure only valid characters are used for an e-mail address. You can then use PDO (prepared statements) or mysql_real_escape_string to ensure a sql injection isn't still possible.

  5. #5
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    731
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Brilliant thanks that worked perfectly.

    This is all the code I have complete for email insertion. I have the mysql_real_escape_string on the email post. Is there anything else I need to add to make it safe.

    Is pregmatch outdated, are there any special characters I should reject?


    Code:
       
      $emailaddress = mysql_real_escape_string(trim($_POST['emailaddress']));
    
    
     if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
            $error = "You need to enter an email.";
        }
    
        $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
        if(mysql_num_rows($query) > 0 && !$error) {
            $error = "Sorry, that email is already in use!";
        }
    	
    $emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
    if (!$emailAddress)
    {
      $error = 'Please enter your email address in a valid format.  Example: bobsmith@companyname.com';
    }

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,214
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by justlukeyou View Post
    This is all the code I have complete for email insertion. I have the mysql_real_escape_string on the email post. Is there anything else I need to add to make it safe.
    No, that is the purpose of mysql_real_escape_string to handle those situations.

    Quote Originally Posted by justlukeyou View Post
    Is pregmatch outdated, are there any special characters I should reject?
    No, preg_match isn't outdated, PHP is just adding helper functions for the most common scenarios in the recent versions of PHP. The filter_var for email validation handles all special characters for you.

    Quote Originally Posted by justlukeyou View Post
    Code:
       
      $emailaddress = mysql_real_escape_string(trim($_POST['emailaddress']));
    
    
     if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
            $error = "You need to enter an email.";
        }
    
        $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
        if(mysql_num_rows($query) > 0 && !$error) {
            $error = "Sorry, that email is already in use!";
        }
    	
    $emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
    if (!$emailAddress)
    {
      $error = 'Please enter your email address in a valid format.  Example: bobsmith@companyname.com';
    }
    You should really move the last validation you have for e-mail address above your check to see if the e-mail is already in use, so you are not querying on an email address that isn't in a valid format.

  7. #7
    SitePoint Guru
    Join Date
    Feb 2007
    Posts
    731
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Thanks,

    I have made the final change. Is their a filter for standard text. So if asked for someones name they cannot inject code.

    Should I use FILTER_VALIDATE_REGEXP for that?

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,214
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Yes you could do that. You should still use mysql_real_escape_string as apostrophes are still usually allowed for last names such as O'Brien, etc.

  9. #9
    SitePoint Member
    Join Date
    Sep 2012
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:


    Apparently, this is the regular expression used by PHP for e-mail addresses:

    Code:
    /^(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){255,})(?!(?:(?:\x22?\x5C[\x00-\x7E]\x22?)|(?:\x22?[^\x5C\x22]\x22?)){65,}@)(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22))(?:\.(?:(?:[\x21\x23-\x27\x2A\x2B\x2D\x2F-\x39\x3D\x3F\x5E-\x7E]+)|(?:\x22(?:[\x01-\x08\x0B\x0C\x0E-\x1F\x21\x23-\x5B\x5D-\x7F]|(?:\x5C[\x00-\x7F]))*\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\]))$/iD
    o_O

    Off Topic:


    Fun fact: While trying to submit this, I kept getting an error message, saying that I'm not allowed to have 27 images in a post!

    O_o



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •