PHP Form Security Lowercase Problem

[Guest Recon]

I have been using a simple PHP form with no security measures but the form has recenty come under heavy attack from spammers. For now, I've taken the form offline while I set up a more secure PHP form script (I'm a total newbie to PHP, btw).

[code]//clean input in case of header injection attempts!
function clean_input_4email($value, $check_all_patterns = true)
{
$patterns[0] = '/content-type:/';
$patterns[1] = '/to:/';
$patterns[2] = '/cc:/';
$patterns[3] = '/bcc:/';
if ($check_all_patterns)
{
  $patterns[4] = '/\r/';
  $patterns[5] = '/\n/';
  $patterns[6] = '/%0a/';
  $patterns[7] = '/%0d/';
}
//NOTE: can use str_ireplace as this is case insensitive but only available on PHP version 5.0.
return preg_replace($patterns, "", strtolower($value));
}

$name = clean_input_4email($_POST['name']);
$email_address = clean_input_4email($_POST['email_address']);[/code]

This makes all the fields that are 'cleaned' lowercase, but I would like them to stay in the same case that they were entered in. I'm not using PHP 5.0 so I can't use str_ireplace.

How else can I make it work? Does it make it lowercase to to reduce the number of patterns needed? If I added all the possible combinations of the patterns (ie. To: tO: TO: to:), could I change

[code]return preg_replace($patterns, "", strtolower($value));[/code]

to something else? Thanks.

[wildteen88]

If you are use preg_replace use the [b]i[/b] syntax modifier in your expressions like so:
$patterns[0] = '/content-type:/[b]i[/b]';
$patterns[1] = '/to:/[b]i[/b]';
$patterns[2] = '/cc:/[b]i[/b]';

The i makes the expression as case-insensitive. Susch as Cc: is the same as cc:

No need for strtolower. So place the letter i (eye) after you closing delimiter, which is the forward slash (/)

[Guest Recon]

Thanks for the quick reply. :)

Would the line become

[code] return preg_replace($patterns, "", $value);[/code]

when I remove the strtolower part?

[wildteen88]

Yeah, you get rid of the strtolower function and make sure you have added the letter [b]i[/b] at the end of each expression, as described in my post above.

[Guest Recon]

Thank you. It works perfectly now. :)

One more question though.

[code]$email_address = clean_input_4email($_POST['email_address']);
$nationality = clean_input_4email($_POST['nationality'], false);
$location = clean_input_4email($_POST['location'], false);[/code]

This script lets me choose which fields I clean using the second set of patterns by adding 'false' at the end like above. What do these extra patterns do? Should I use them for all fields? In the example script, they were only used for certain fields. What are they for -- their code means nothing to me? ???

Thanks again.

[wildteen88]

By looks of things the secound parameter makes the script check for newline and carriage return characters too. I dont knwo what partterns 6 and 7 do. By looks of it they are ASCII characters.