Good Preg Match Standards?

[justlukeyou]

I have a preg match which forces proper input for email addresses "someone@company.com" but it also allows people to enter characters such as !/$ which someone may use to hack into the database.

 

Should I be stopping these kind of characters from being entered into the database?

 

    if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) {
        $error = "The email you entered is not valid.";
    }

 

Also what should I do for standard input.  I dont have any preg match on the name or password etc.  What is the best preg match to put on this?

 

 

[darkfreaks]

http://lmgtfy.com/?q=filter_var+email+validation

 

you should listen to advice given to you.

[KevinM1]

I have a preg match which forces proper input for email addresses "someone@company.com" but it also allows people to enter characters such as !/$ which someone may use to hack into the database.

 

Should I be stopping these kind of characters from being entered into the database?

 

    if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) {
        $error = "The email you entered is not valid.";
    }

 

Also what should I do for standard input.  I dont have any preg match on the name or password etc.  What is the best preg match to put on this?

 

 

 

Why not use an email_filter and escape the data before it hits the db?

 

http://php.net/manual/en/filter.filters.validate.php

 

[scootstah]

That pattern isn't going to necessarily return valid emails. The domain portion is very lax, and the local part isn't totally accurate. For example, you can't have an email with: blah.@domain.com Plus, you are missing a bunch of valid characters.

 

I don't think anyone can hack your database with !/$ characters. But even if they could, you should already be escaping or binding the input anyway.

 

Passwords shouldn't get any filtering. By filtering passwords you're just reducing its security. Once you hash it, whatever characters it was made up with is irrelevant anyway.

 

Filter usernames however you want them to be displayed. Only you can decide what that should be.

[justlukeyou]

Thanks,

 

I see what you mean, I can enter name@companyname and this still enters as an email address.  It doesn't require .com

 

Are there solid preg-matches that I can use for emails or general inputs such as name or company name?

[scootstah]

Yup

[Christian F.]

You should know that writing a RegExp to validate e-mail addresses is extremely difficult, if not impossible, to get 100% correct. The best method to validate an e-mail address is to actually ask the mail server of the given domain, which will add a little bit of delay due to the latency of the network traffic between the two servers.

[scootstah]

You should know that writing a RegExp to validate e-mail addresses is extremely difficult, if not impossible, to get 100% correct.

 

Maybe so, but writing one that matches 99.9% of them isn't. The format for en Email address is pretty clearly defined, and not that complex.

 

The chances of hitting an edge case where a specific email doesn't match is pretty slim. How many people do you know that use !#$%&'*+/=?^`{|}~ in their email address?

[justlukeyou]

What??? Im not looking to check if an email address exists, I'm trying ensure that it is entered in the correct format e.g. something@something.com and no code is injected into the DB.

 

http://php.net/manual/en/filter.filters.validate.php

 

I had a look through this.  So is "FILTER_VALIDATE_EMAIL" coded to reject a format that is not an email address? 

 

How does it reject code injection.  I thought that was the purpose of preg_match?

 

scootstah is this the process you use to allow people to submit an email address to a database?

 

[spiderwell]

html 5

<input type="email">

 

job done.

 

however you can't rely on that sadly!

 

[darkfreaks]

FILTER_VALIDATE_EMAIL does NOT allow incomplete e-mail addresses to be validated.

also it does not allow the following:

chris#example.com

chris@ex@ample.com

chris.@example.com

chris@@example.com

chris@example..com

allowed:

 

chris@example.com

chris@a.b.c.com

 

//sanitize post email then make sure it is a valid email
$email = filter_var(filter_var($_POST['email'], FILTER_SANITIZE_EMAIL),
         FILTER_VALIDATE_EMAIL);
if($email === false)
{
   // if email invalid error
}

[justlukeyou]

Hi,

 

Many thanks for posting that but I couldn't get it to work.  My email address row is emailaddress.

 

When I use the following it allows anything to be added such as xxxxxxxxxxxxxxx but only once.

 

Am I using it correctly or this for a certain level of PHP?

 

 

    if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
        $error = "You need to enter an email.";
    }

    $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
    if(mysql_num_rows($query) > 0 && !$error) {
        $error = "Sorry, that email is already in use!";
    }

$email = filter_var(filter_var($_POST['emailaddress'], FILTER_SANITIZE_EMAIL),
         FILTER_VALIDATE_EMAIL);
if($email === false)
{
   // if email invalid error
}

[justlukeyou]

Hi,

 

I changed it to this and it worked fine.

 

$emailAddress = filter_var($_POST['emailaddress'], FILTER_VALIDATE_EMAIL);
if (!$emailAddress)
{
  $error = 'Invalid E-mail Address';
}  

[darkfreaks]

don't forget to mark topic solved