gtzpower Posted April 28, 2008 Share Posted April 28, 2008 can anyone help me with this simple RegEx test? Here's my code: if (eregi("(\r|\n)", $_POST['email'])) { // block email injection attacks die("An error has occurred. Please verify that you have submitted a valid email address."); } else { echo $_POST['email']; } the resulting page shows \r\n (when I submit \r\n for the email address). I can't get the die to execute! However, if I do this: if (eregi("(\r|\n)", "\r\n")) { //Note the elimination of the POST var the evaluation is true. Any hints? Link to comment https://forums.phpfreaks.com/topic/103311-blocking-email-injection-why-wont-this-simple-regex-work/ Share on other sites More sharing options...
moselkady Posted April 28, 2008 Share Posted April 28, 2008 Try this one: if (eregi("[\r\n]", $_POST['email'])) Link to comment https://forums.phpfreaks.com/topic/103311-blocking-email-injection-why-wont-this-simple-regex-work/#findComment-529117 Share on other sites More sharing options...
gtzpower Posted April 28, 2008 Author Share Posted April 28, 2008 still have the same issue even with that one. I think it has something to do with the POST var holding a literal value. For example, if I run: if($_POST['email'] == "\r\n") { echo "dub"; } if($_POST['email'] == '\r\n') { echo "sin"; } 'sin' is echoed. So, my "" around the regEx is looking for a whitespace character of carriage return\new line, while I am giving it the literal of '\r\n'. I still don't know how to get around this though Link to comment https://forums.phpfreaks.com/topic/103311-blocking-email-injection-why-wont-this-simple-regex-work/#findComment-529132 Share on other sites More sharing options...
moselkady Posted April 28, 2008 Share Posted April 28, 2008 My mistake :-\ I didn't realize you have them as literal '\r\n'. This I think would work <? if (eregi("[\\r\\n]", '[email protected]\r')) echo 1; ?> Link to comment https://forums.phpfreaks.com/topic/103311-blocking-email-injection-why-wont-this-simple-regex-work/#findComment-529139 Share on other sites More sharing options...
gtzpower Posted April 28, 2008 Author Share Posted April 28, 2008 Thanks for the reply, however, now nothing with an 'r' or an 'n' is allowed through. e.g. "[email protected]" is resulting in an error. Any other thoughts? Link to comment https://forums.phpfreaks.com/topic/103311-blocking-email-injection-why-wont-this-simple-regex-work/#findComment-529142 Share on other sites More sharing options...
moselkady Posted April 28, 2008 Share Posted April 28, 2008 Ok. I think this will finally work <?php if (eregi("[\\][rn]", '[email protected]\r\n')) echo "1\n"; if (eregi("[\\][rn]", '[email protected]')) echo "2\n"; ?> Link to comment https://forums.phpfreaks.com/topic/103311-blocking-email-injection-why-wont-this-simple-regex-work/#findComment-529150 Share on other sites More sharing options...
gtzpower Posted April 29, 2008 Author Share Posted April 29, 2008 Thanks! That works for \r or \n, but unfortunately it won't work for %0A, etc.. I guess what I am really asking is why is it that the regular expressions for testing this stuff that I can find on umpteen billion sites are not working on mine? Is there a php setting for post vars that needs changed or something? I would ideally like to search for the whitespace character rather than searching for every possible way of creating the whitespace character Link to comment https://forums.phpfreaks.com/topic/103311-blocking-email-injection-why-wont-this-simple-regex-work/#findComment-529511 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.