Jump to content


PHP Form Security Lowercase Problem


  • Please log in to reply
5 replies to this topic

#1 Guest_Recon_*

Guest_Recon_*
  • Guests

Posted 01 July 2006 - 10:16 AM

I have been using a simple PHP form with no security measures but the form has recenty come under heavy attack from spammers. For now, I've taken the form offline while I set up a more secure PHP form script (I'm a total newbie to PHP, btw).

//clean input in case of header injection attempts!
function clean_input_4email($value, $check_all_patterns = true)
{
 $patterns[0] = '/content-type:/';
 $patterns[1] = '/to:/';
 $patterns[2] = '/cc:/';
 $patterns[3] = '/bcc:/';
 if ($check_all_patterns)
 {
  $patterns[4] = '/\r/';
  $patterns[5] = '/\n/';
  $patterns[6] = '/%0a/';
  $patterns[7] = '/%0d/';
 }
 //NOTE: can use str_ireplace as this is case insensitive but only available on PHP version 5.0.
 return preg_replace($patterns, "", strtolower($value));
}

$name = clean_input_4email($_POST['name']);
$email_address = clean_input_4email($_POST['email_address']);

This makes all the fields that are 'cleaned' lowercase, but I would like them to stay in the same case that they were entered in. I'm not using PHP 5.0 so I can't use str_ireplace.

How else can I make it work? Does it make it lowercase to to reduce the number of patterns needed? If I added all the possible combinations of the patterns (ie. To: tO: TO: to:), could I change

return preg_replace($patterns, "", strtolower($value));

to something else? Thanks.

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 01 July 2006 - 10:29 AM

If you are use preg_replace use the i syntax modifier in your expressions like so:
$patterns[0] = '/content-type:/i';
$patterns[1] = '/to:/i';
$patterns[2] = '/cc:/i';

The i makes the expression as case-insensitive. Susch as Cc: is the same as cc:

No need for strtolower. So place the letter i (eye) after you closing delimiter, which is the forward slash (/)

#3 Guest_Recon_*

Guest_Recon_*
  • Guests

Posted 01 July 2006 - 10:37 AM

Thanks for the quick reply. :)

Would the line become

return preg_replace($patterns, "", $value);

when I remove the strtolower part?

#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 01 July 2006 - 10:45 AM

Yeah, you get rid of the strtolower function and make sure you have added the letter i at the end of each expression, as described in my post above.

#5 Guest_Recon_*

Guest_Recon_*
  • Guests

Posted 01 July 2006 - 10:54 AM

Thank you. It works perfectly now. :)

One more question though.

$email_address = clean_input_4email($_POST['email_address']);
$nationality = clean_input_4email($_POST['nationality'], false);
$location = clean_input_4email($_POST['location'], false);

This script lets me choose which fields I clean using the second set of patterns by adding 'false' at the end like above. What do these extra patterns do? Should I use them for all fields? In the example script, they were only used for certain fields. What are they for -- their code means nothing to me? ???

Thanks again.

#6 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 01 July 2006 - 11:02 AM

By looks of things the secound parameter makes the script check for newline and carriage return characters too. I dont knwo what partterns 6 and 7 do. By looks of it they are ASCII characters.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users