Good Preg Match Standards?

justlukeyou · September 10, 2012, 10:11pm

Hi,

I have been using the following preg match to ensure only correct email addresses are used. However it allows name@company to be entered.

Are there solid and reliable preg matches which should be used for email and standard data input such as name and company name.

How can I prevent someone from injecting code into the DB?

  if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) {
        $error = "The email you entered is not valid.";
    }

cpradio · September 10, 2012, 10:20pm

Instead of using preg_match, check out the first example on filter_var on this page http://us3.php.net/manual/en/function.filter-var.php

justlukeyou · September 10, 2012, 10:23pm

Thanks, I have seend that but I dont understand it. I cant see what it does or how to use it.

What code should I use for proper emails and to stop code injection.

cpradio · September 10, 2012, 10:29pm

So the first example has

var_dump(filter_var('bob@example.com', FILTER_VALIDATE_EMAIL));

So you can use

$emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
if (!$emailAddress)
{
  $error = 'Invalid E-mail Address';
}

It will validate and ensure only valid characters are used for an e-mail address. You can then use PDO (prepared statements) or mysql_real_escape_string to ensure a sql injection isn’t still possible.

justlukeyou · September 11, 2012, 7:51pm

Brilliant thanks that worked perfectly.

This is all the code I have complete for email insertion. I have the mysql_real_escape_string on the email post. Is there anything else I need to add to make it safe.

Is pregmatch outdated, are there any special characters I should reject?


  $emailaddress = mysql_real_escape_string(trim($_POST['emailaddress']));


 if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
        $error = "You need to enter an email.";
    }

    $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
    if(mysql_num_rows($query) > 0 && !$error) {
        $error = "Sorry, that email is already in use!";
    }
	
$emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
if (!$emailAddress)
{
  $error = 'Please enter your email address in a valid format.  Example: bobsmith@companyname.com';
}

cpradio · September 11, 2012, 8:05pm

No, that is the purpose of mysql_real_escape_string to handle those situations.

No, preg_match isn’t outdated, PHP is just adding helper functions for the most common scenarios in the recent versions of PHP. The filter_var for email validation handles all special characters for you.

justlukeyou:

   
  $emailaddress = mysql_real_escape_string(trim($_POST['emailaddress']));


 if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
        $error = "You need to enter an email.";
    }

    $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
    if(mysql_num_rows($query) > 0 && !$error) {
        $error = "Sorry, that email is already in use!";
    }
	
$emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
if (!$emailAddress)
{
  $error = 'Please enter your email address in a valid format.  Example: bobsmith@companyname.com';
}

You should really move the last validation you have for e-mail address above your check to see if the e-mail is already in use, so you are not querying on an email address that isn’t in a valid format.

justlukeyou · September 11, 2012, 8:14pm

Thanks,

I have made the final change. Is their a filter for standard text. So if asked for someones name they cannot inject code.

Should I use FILTER_VALIDATE_REGEXP for that?

cpradio · September 11, 2012, 8:33pm

Yes you could do that. You should still use mysql_real_escape_string as apostrophes are still usually allowed for last names such as O’Brien, etc.

calonice · September 12, 2012, 5:36am

Off Topic:

Apparently, this is the regular expression used by PHP for e-mail addresses:


/^(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){255,})(?!(?:(?:\\x22?\\x5C[\\x00-\\x7E]\\x22?)|(?:\\x22?[^\\x5C\\x22]\\x22?)){65,}@)(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22))(?:\\.(?:(?:[\\x21\\x23-\\x27\\x2A\\x2B\\x2D\\x2F-\\x39\\x3D\\x3F\\x5E-\\x7E]+)|(?:\\x22(?:[\\x01-\\x08\\x0B\\x0C\\x0E-\\x1F\\x21\\x23-\\x5B\\x5D-\\x7F]|(?:\\x5C[\\x00-\\x7F]))*\\x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-9]+(?:-[a-z0-9]+)*\\.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-[a-z0-9]+)*)|(?:\\[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-9][:\\]]){7,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))(?:\\.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))\\]))$/iD

o_O

Off Topic:

Fun fact: While trying to submit this, I kept getting an error message, saying that I’m not allowed to have 27 images in a post!

O_o