Jump to content

Archived

This topic is now archived and is closed to further replies.

Guest Recon

PHP Form Security Lowercase Problem

Recommended Posts

Guest Recon
I have been using a simple PHP form with no security measures but the form has recenty come under heavy attack from spammers. For now, I've taken the form offline while I set up a more secure PHP form script (I'm a total newbie to PHP, btw).

[code]//clean input in case of header injection attempts!
function clean_input_4email($value, $check_all_patterns = true)
{
$patterns[0] = '/content-type:/';
$patterns[1] = '/to:/';
$patterns[2] = '/cc:/';
$patterns[3] = '/bcc:/';
if ($check_all_patterns)
{
  $patterns[4] = '/\r/';
  $patterns[5] = '/\n/';
  $patterns[6] = '/%0a/';
  $patterns[7] = '/%0d/';
}
//NOTE: can use str_ireplace as this is case insensitive but only available on PHP version 5.0.
return preg_replace($patterns, "", strtolower($value));
}

$name = clean_input_4email($_POST['name']);
$email_address = clean_input_4email($_POST['email_address']);[/code]

This makes all the fields that are 'cleaned' lowercase, but I would like them to stay in the same case that they were entered in. I'm not using PHP 5.0 so I can't use str_ireplace.

How else can I make it work? Does it make it lowercase to to reduce the number of patterns needed? If I added all the possible combinations of the patterns (ie. To: tO: TO: to:), could I change

[code]return preg_replace($patterns, "", strtolower($value));[/code]

to something else? Thanks.

Share this post


Link to post
Share on other sites
If you are use preg_replace use the [b]i[/b] syntax modifier in your expressions like so:
$patterns[0] = '/content-type:/[b]i[/b]';
$patterns[1] = '/to:/[b]i[/b]';
$patterns[2] = '/cc:/[b]i[/b]';

The i makes the expression as case-insensitive. Susch as Cc: is the same as cc:

No need for strtolower. So place the letter i (eye) after you closing delimiter, which is the forward slash (/)

Share this post


Link to post
Share on other sites
Guest Recon
Thanks for the quick reply. :)

Would the line become

[code] return preg_replace($patterns, "", $value);[/code]

when I remove the strtolower part?

Share this post


Link to post
Share on other sites
Yeah, you get rid of the strtolower function and make sure you have added the letter [b]i[/b] at the end of each expression, as described in my post above.

Share this post


Link to post
Share on other sites
Guest Recon
Thank you. It works perfectly now. :)

One more question though.

[code]$email_address = clean_input_4email($_POST['email_address']);
$nationality = clean_input_4email($_POST['nationality'], false);
$location = clean_input_4email($_POST['location'], false);[/code]

This script lets me choose which fields I clean using the second set of patterns by adding 'false' at the end like above. What do these extra patterns do? Should I use them for all fields? In the example script, they were only used for certain fields. What are they for -- their code means nothing to me? ???

Thanks again.

Share this post


Link to post
Share on other sites
By looks of things the secound parameter makes the script check for newline and carriage return characters too. I dont knwo what partterns 6 and 7 do. By looks of it they are ASCII characters.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.