Am I using preg_match_all() correctly?

  • fional24
  • Graduate
  • Graduate
  • fional24
  • Posts: 125
  • Loc: Scotland

Post 3+ Months Ago

I've been having a few issues this week with bad people messing about with my php form scripts. So, I'm adding more validation in to make things more secure. This is a portion of my script where I am trying to make sure that if content-type, bcc: or cc: are submitted in my text box, then my script will exit. My problem is that I'm not sure which function will help me do this best. I have chosen preg_match_all() because as far as I understand it will pick up all instances in the tested string. I know it is case sensitive though, so I have been trying the i modifier.

I'm not the best with regular expressions, so could someone check this for me please?

What I am meaning this to do is look for the text in $find without case being an issue, match it against my three variables then print the paragraph then exit the script completely.

I have already initialised my variables mentioned in the function, cleaning off any nasty characters etc...

Code: [ Select ]
$find = "/[content-type|bcc:|cc:]/i";
if (preg_match_all($find, $name) || preg_match_all($find, $email) || preg_match_all($find, $about))) {
   <p>string has been found</p>";
  exit;
  1. $find = "/[content-type|bcc:|cc:]/i";
  2. if (preg_match_all($find, $name) || preg_match_all($find, $email) || preg_match_all($find, $about))) {
  3.    <p>string has been found</p>";
  4.   exit;


So I'm hoping this will catch variations on:

ConTent-typE
Content-Type
bCC:
Cc:
cC:

etc...

Is this a good way to do this? Or would I be better off using another function/method?

Thanks,

Fee
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • gisele
  • Expert
  • Expert
  • User avatar
  • Posts: 585
  • Loc: Nimes (France)

Post 3+ Months Ago

Hi,
I would like to understand further :-)
what do you want to pickup the instances for?you don't seem to pick them(a parameter is missing).
If you'll just print the paragraph we see, preg_match_all() is not necessary.

Do you mean that $about, $name, and $email are texts submmitted and $find a regular expression?or the inverse $find the text submitted and 3 variables wich are regular expression recognizing a name, or an email or a file name?(in that case maybe you'll don't have to call the function 3 times)
Do you want us to give you the regualr expression matching with
-a name
-an email
-file name
?
  • fional24
  • Graduate
  • Graduate
  • fional24
  • Posts: 125
  • Loc: Scotland

Post 3+ Months Ago

I want the program to exit if the strings are found.

The variables are coming from a text box on a form and I'm trying to make sure that headers can't be injected via the form, in terms of inserting bcc and cc to send out spam. This has happend to me already and I'm not going to let it happen again!

The code I have posted is just a portion of the script, the variables etc... have all been defined etc... I just want to know if preg_match_all() will find the strings in the ways I described so I can exit the script.

I have cleaned the information from the form earlier in the script, taking off tags and special characters etc...

Quote:
Do you mean that $about, $name, and $email are texts submmitted and $find a regular expression?


Yeh, $about, $name and $email are the submitted fields and $find is the regular expression

More code in context:

Code: [ Select ]
function cleanUp($data) {
  $data = trim(strip_tags(htmlspecialchars($data));
  return $data;
}


 $name=cleanup($_POST['name']);
 $email=cleanup($_POST['email']);
 $about="Newsletter request";
 $name = preg_replace("([\r\n])", "", $name);
 $email = preg_replace("([\r\n])", "", $email);

$find = "/[content-type|bcc:|cc:]/i";
if (preg_match_all($find, $name) || preg_match_all($find, $email) || preg_match_all($find, $about))) {
   <p>string has been found</p>";
  exit;
}
  1. function cleanUp($data) {
  2.   $data = trim(strip_tags(htmlspecialchars($data));
  3.   return $data;
  4. }
  5.  $name=cleanup($_POST['name']);
  6.  $email=cleanup($_POST['email']);
  7.  $about="Newsletter request";
  8.  $name = preg_replace("([\r\n])", "", $name);
  9.  $email = preg_replace("([\r\n])", "", $email);
  10. $find = "/[content-type|bcc:|cc:]/i";
  11. if (preg_match_all($find, $name) || preg_match_all($find, $email) || preg_match_all($find, $about))) {
  12.    <p>string has been found</p>";
  13.   exit;
  14. }
  • gisele
  • Expert
  • Expert
  • User avatar
  • Posts: 585
  • Loc: Nimes (France)

Post 3+ Months Ago

Ok man,
"I'm trying to make sure that headers can't be injected via the form, in terms of inserting bcc and cc to send out spam" =>that' what missed me to understand :-)

first, you regular expression is not good becauses it means that you don't allow any of each character inside [] instead of any of each whole expressions "cc:" or "bbc:"or "content-type" , and I also think eregi() is enough because you don't use the instances after.


PHP Code: [ Select ]
 
function cleanUp($data) {
 
   $data = trim(strip_tags(htmlspecialchars($data));
 
   return $data;
 
}
 
 
 
 
 
  $name=cleanup($_POST['name']);
 
  $email=cleanup($_POST['email']);
 
  $about="Newsletter request";
 
  $name = preg_replace("([\r\n])", "", $name);
 
  $email = preg_replace("([\r\n])", "", $email);
 
 
 
if (eregi("content-type|bcc:|cc:", $name) || eregi("content-type|bcc:|cc:",  $email) || eregi("content-type|bcc:|cc:",  $about))) {
 
      <p>string has been found</p>";
 
  exit;
 
}
 
 
  1.  
  2. function cleanUp($data) {
  3.  
  4.    $data = trim(strip_tags(htmlspecialchars($data));
  5.  
  6.    return $data;
  7.  
  8. }
  9.  
  10.  
  11.  
  12.  
  13.  
  14.   $name=cleanup($_POST['name']);
  15.  
  16.   $email=cleanup($_POST['email']);
  17.  
  18.   $about="Newsletter request";
  19.  
  20.   $name = preg_replace("([\r\n])", "", $name);
  21.  
  22.   $email = preg_replace("([\r\n])", "", $email);
  23.  
  24.  
  25.  
  26. if (eregi("content-type|bcc:|cc:", $name) || eregi("content-type|bcc:|cc:",  $email) || eregi("content-type|bcc:|cc:",  $about))) {
  27.  
  28.       <p>string has been found</p>";
  29.  
  30.   exit;
  31.  
  32. }
  33.  
  34.  
  • fional24
  • Graduate
  • Graduate
  • fional24
  • Posts: 125
  • Loc: Scotland

Post 3+ Months Ago

Thanks for quick reply and improved code!

So, just to clear things in my head so i'll know this for next time, what is the difference between "content-type" and [content-type] when used in an expression this way?

does "content-type" look for that phrase and [content-type] look for all of the letters contained in the []?
  • gisele
  • Expert
  • Expert
  • User avatar
  • Posts: 585
  • Loc: Nimes (France)

Post 3+ Months Ago

Quote:
does "content-type" look for that phrase and [content-type] look for all of the letters contained in the []?


Exactly

It was hard to me to explain precisly the nuance in english, but I think you got it :-)
imagine a "or" between the letters in the []
note "-" means from .. to..
example [a-z] =>any letter from a to z
[a-z0-9] any letter or any digit
  • fional24
  • Graduate
  • Graduate
  • fional24
  • Posts: 125
  • Loc: Scotland

Post 3+ Months Ago

:D Thanks for solving that for me, feeling much more confident now!
  • gisele
  • Expert
  • Expert
  • User avatar
  • Posts: 585
  • Loc: Nimes (France)

Post 3+ Months Ago

Hello

Just one more thing by the way,

preg_match_all() is unneccessary but preg_match() is better than eregi(), because PCRE functions are faster than POSIX functions (and not only).
So you could also put :
PHP Code: [ Select ]
 
if (preg_match("/content-type|bcc:|cc:/i", $name) || preg_match("/content-type|bcc:|cc:/i",  $email) || preg_match("/content-type|bcc:|cc:/i", $about))) {
 
 
  1.  
  2. if (preg_match("/content-type|bcc:|cc:/i", $name) || preg_match("/content-type|bcc:|cc:/i",  $email) || preg_match("/content-type|bcc:|cc:/i", $about))) {
  3.  
  4.  

the syntax is a little bit différent (you have to add délimiters like "/" or "`" or ... ;-) ) (Note "i"for the case unsensibility)
  • fional24
  • Graduate
  • Graduate
  • fional24
  • Posts: 125
  • Loc: Scotland

Post 3+ Months Ago

:D Thanks for the extra idea, I'll try the preg_match() version now.

Fee

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 158 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.