webref.eu Posted September 15, 2011 Share Posted September 15, 2011 Hi Guys I'm using the following function to check form field data for dangerous code: function containsInjectionAttempt($input) { if (eregi("\r", $input) || eregi("\n", $input) || eregi("%0a", $input) || eregi("%0d", $input) || eregi("Content-Type:", $input) || eregi("bcc:", $input) || eregi("to:", $input) || eregi("cc:", $input)) { return true; } else { return false; } } For those interested, I found this at: http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ A few questions: 1) I have found most of the patterns I test for, e.g. "Content-Type:", "cc:", are recognised by the function. However, if I try inputting into my form field "\r" or "\n", they do not get detected. Does anyone have any idea why? Would it be something to do with the back slashes? 2) I gather eregi is deprecated as of PHP 5.3.0, so what should I use instead? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/247201-help-with-containsinjectionattempt-function/ Share on other sites More sharing options...
trq Posted September 15, 2011 Share Posted September 15, 2011 if I try inputting into my form field "\r" or "\n", they do not get detected. Does anyone have any idea why? Because your code is looking for new lines and carriage returns, not the strings \n and \r I gather eregi is deprecated as of PHP 5.3.0, so what should I use instead? preg_match. Quote Link to comment https://forums.phpfreaks.com/topic/247201-help-with-containsinjectionattempt-function/#findComment-1269600 Share on other sites More sharing options...
AyKay47 Posted September 15, 2011 Share Posted September 15, 2011 placing the newline and carriage return in single quotes will parse them literally Edit: however preg_match handles reg ex differently.. read up on what thorpe posted. Quote Link to comment https://forums.phpfreaks.com/topic/247201-help-with-containsinjectionattempt-function/#findComment-1269601 Share on other sites More sharing options...
webref.eu Posted September 15, 2011 Author Share Posted September 15, 2011 Many thanks for the help guys. I've now amended the function to use preg_match, as per the below. The function is behaving in the same way as the original. However, do you think it is still testing the form output for a newline and a carriage return correctly? I'm not sure. Thanks. //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } } Quote Link to comment https://forums.phpfreaks.com/topic/247201-help-with-containsinjectionattempt-function/#findComment-1269614 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.