Jump to content

Recommended Posts

I have a preg match which forces proper input for email addresses "someone@company.com" but it also allows people to enter characters such as !/$ which someone may use to hack into the database.

 

Should I be stopping these kind of characters from being entered into the database?

 

    if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) {
        $error = "The email you entered is not valid.";
    }

 

Also what should I do for standard input.  I dont have any preg match on the name or password etc.  What is the best preg match to put on this?

 

 

Link to comment
https://forums.phpfreaks.com/topic/268233-good-preg-match-standards/
Share on other sites

I have a preg match which forces proper input for email addresses "someone@company.com" but it also allows people to enter characters such as !/$ which someone may use to hack into the database.

 

Should I be stopping these kind of characters from being entered into the database?

 

    if(preg_match("/[a-zA-Z0-9-.+]+@[a-zA-Z0-9-]+.[a-zA-Z]+/", $emailaddress) == 0 && !$error) {
        $error = "The email you entered is not valid.";
    }

 

Also what should I do for standard input.  I dont have any preg match on the name or password etc.  What is the best preg match to put on this?

 

 

 

Why not use an email_filter and escape the data before it hits the db?

 

http://php.net/manual/en/filter.filters.validate.php

 

That pattern isn't going to necessarily return valid emails. The domain portion is very lax, and the local part isn't totally accurate. For example, you can't have an email with: blah.@domain.com Plus, you are missing a bunch of valid characters.

 

I don't think anyone can hack your database with !/$ characters. But even if they could, you should already be escaping or binding the input anyway.

 

Passwords shouldn't get any filtering. By filtering passwords you're just reducing its security. Once you hash it, whatever characters it was made up with is irrelevant anyway.

 

Filter usernames however you want them to be displayed. Only you can decide what that should be.

You should know that writing a RegExp to validate e-mail addresses is extremely difficult, if not impossible, to get 100% correct. The best method to validate an e-mail address is to actually ask the mail server of the given domain, which will add a little bit of delay due to the latency of the network traffic between the two servers.

You should know that writing a RegExp to validate e-mail addresses is extremely difficult, if not impossible, to get 100% correct.

 

Maybe so, but writing one that matches 99.9% of them isn't. The format for en Email address is pretty clearly defined, and not that complex.

 

The chances of hitting an edge case where a specific email doesn't match is pretty slim. How many people do you know that use !#$%&'*+/=?^`{|}~ in their email address?

What??? Im not looking to check if an email address exists, I'm trying ensure that it is entered in the correct format e.g. something@something.com and no code is injected into the DB.

 

http://php.net/manual/en/filter.filters.validate.php

 

I had a look through this.  So is "FILTER_VALIDATE_EMAIL" coded to reject a format that is not an email address? 

 

How does it reject code injection.  I thought that was the purpose of preg_match?

 

scootstah is this the process you use to allow people to submit an email address to a database?

 

FILTER_VALIDATE_EMAIL does NOT allow incomplete e-mail addresses to be validated.

also it does not allow the following:

chris#example.com

chris@ex@ample.com

chris.@example.com

chris@@example.com

chris@example..com

allowed:

 

chris@example.com

chris@a.b.c.com

 

//sanitize post email then make sure it is a valid email
$email = filter_var(filter_var($_POST['email'], FILTER_SANITIZE_EMAIL),
         FILTER_VALIDATE_EMAIL);
if($email === false)
{
   // if email invalid error
}

Hi,

 

Many thanks for posting that but I couldn't get it to work.  My email address row is emailaddress.

 

When I use the following it allows anything to be added such as xxxxxxxxxxxxxxx but only once.

 

Am I using it correctly or this for a certain level of PHP?

 

 

    if((!isset($emailaddress) || empty($emailaddress)) && !$error) {
        $error = "You need to enter an email.";
    }

    $query = mysql_query("SELECT userid FROM organisermembers WHERE emailaddress = '".$emailaddress."' LIMIT 1");
    if(mysql_num_rows($query) > 0 && !$error) {
        $error = "Sorry, that email is already in use!";
    }

$email = filter_var(filter_var($_POST['emailaddress'], FILTER_SANITIZE_EMAIL),
         FILTER_VALIDATE_EMAIL);
if($email === false)
{
   // if email invalid error
}

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.