justlukeyou Posted September 10, 2012 Share Posted September 10, 2012 I have a preg match which forces proper input for email addresses "someone@company.com" but it also allows people to enter characters such as !/$ which someone may use to hack into the database. Should I be stopping these kind of characters from being entered into the database? if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) { $error = "The email you entered is not valid."; } Also what should I do for standard input. I dont have any preg match on the name or password etc. What is the best preg match to put on this? Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/ Share on other sites More sharing options...
darkfreaks Posted September 10, 2012 Share Posted September 10, 2012 http://lmgtfy.com/?q=filter_var+email+validation you should listen to advice given to you. Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376819 Share on other sites More sharing options...
KevinM1 Posted September 10, 2012 Share Posted September 10, 2012 I have a preg match which forces proper input for email addresses "someone@company.com" but it also allows people to enter characters such as !/$ which someone may use to hack into the database. Should I be stopping these kind of characters from being entered into the database? if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) { $error = "The email you entered is not valid."; } Also what should I do for standard input. I dont have any preg match on the name or password etc. What is the best preg match to put on this? Why not use an email_filter and escape the data before it hits the db? http://php.net/manual/en/filter.filters.validate.php Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376820 Share on other sites More sharing options...
scootstah Posted September 10, 2012 Share Posted September 10, 2012 That pattern isn't going to necessarily return valid emails. The domain portion is very lax, and the local part isn't totally accurate. For example, you can't have an email with: blah.@domain.com Plus, you are missing a bunch of valid characters. I don't think anyone can hack your database with !/$ characters. But even if they could, you should already be escaping or binding the input anyway. Passwords shouldn't get any filtering. By filtering passwords you're just reducing its security. Once you hash it, whatever characters it was made up with is irrelevant anyway. Filter usernames however you want them to be displayed. Only you can decide what that should be. Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376822 Share on other sites More sharing options...
justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 Thanks, I see what you mean, I can enter name@companyname and this still enters as an email address. It doesn't require .com Are there solid preg-matches that I can use for emails or general inputs such as name or company name? Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376825 Share on other sites More sharing options...
scootstah Posted September 11, 2012 Share Posted September 11, 2012 Yup Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376881 Share on other sites More sharing options...
Christian F. Posted September 11, 2012 Share Posted September 11, 2012 You should know that writing a RegExp to validate e-mail addresses is extremely difficult, if not impossible, to get 100% correct. The best method to validate an e-mail address is to actually ask the mail server of the given domain, which will add a little bit of delay due to the latency of the network traffic between the two servers. Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376938 Share on other sites More sharing options...
scootstah Posted September 11, 2012 Share Posted September 11, 2012 You should know that writing a RegExp to validate e-mail addresses is extremely difficult, if not impossible, to get 100% correct. Maybe so, but writing one that matches 99.9% of them isn't. The format for en Email address is pretty clearly defined, and not that complex. The chances of hitting an edge case where a specific email doesn't match is pretty slim. How many people do you know that use !#$%&'*+/=?^`{|}~ in their email address? Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376941 Share on other sites More sharing options...
justlukeyou Posted September 11, 2012 Author Share Posted September 11, 2012 What??? Im not looking to check if an email address exists, I'm trying ensure that it is entered in the correct format e.g. something@something.com and no code is injected into the DB. http://php.net/manual/en/filter.filters.validate.php I had a look through this. So is "FILTER_VALIDATE_EMAIL" coded to reject a format that is not an email address? How does it reject code injection. I thought that was the purpose of preg_match? scootstah is this the process you use to allow people to submit an email address to a database? Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376973 Share on other sites More sharing options...
spiderwell Posted September 11, 2012 Share Posted September 11, 2012 html 5 <input type="email"> job done. however you can't rely on that sadly! Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376988 Share on other sites More sharing options...
darkfreaks Posted September 11, 2012 Share Posted September 11, 2012 FILTER_VALIDATE_EMAIL does NOT allow incomplete e-mail addresses to be validated. also it does not allow the following: chris#example.com chris@ex@ample.com chris.@example.com chris@@example.com chris@example..com allowed: chris@example.com chris@a.b.c.com //sanitize post email then make sure it is a valid email $email = filter_var(filter_var($_POST['email'], FILTER_SANITIZE_EMAIL), FILTER_VALIDATE_EMAIL); if($email === false) { // if email invalid error } Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1376996 Share on other sites More sharing options...
justlukeyou Posted September 11, 2012 Author Share Posted September 11, 2012 Hi, Many thanks for posting that but I couldn't get it to work. My email address row is emailaddress. When I use the following it allows anything to be added such as xxxxxxxxxxxxxxx but only once. Am I using it correctly or this for a certain level of PHP? if((!isset($emailaddress) || empty($emailaddress)) && !$error) { $error = "You need to enter an email."; } $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1"); if(mysql_num_rows($query) > 0 && !$error) { $error = "Sorry, that email is already in use!"; } $email = filter_var(filter_var($_POST['emailaddress'], FILTER_SANITIZE_EMAIL), FILTER_VALIDATE_EMAIL); if($email === false) { // if email invalid error } Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1377093 Share on other sites More sharing options...
justlukeyou Posted September 11, 2012 Author Share Posted September 11, 2012 Hi, I changed it to this and it worked fine. $emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL); if (!$emailAddress) { $error = 'Invalid E-mail Address'; } Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1377098 Share on other sites More sharing options...
darkfreaks Posted September 12, 2012 Share Posted September 12, 2012 don't forget to mark topic solved Quote Link to comment https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/#findComment-1377148 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.