NYCPHP Meetup

NYPHP.org

[nycphp-talk] Sneaking in unwanted characters

David Sklar sklar at sklar.com
Wed Sep 10 15:52:18 EDT 2003


What is the e-mail address they snuck through? You probably want to escape
the . in the character class before the @ in the first regex -- otherwise
you're matching ^.+@

Separately, why does your client want to do this? www.me at mydomain.com is a
perfectly valid e-mail address.

David

On Wednesday, September 10, 2003 3:35 PM,  wrote:

> My client doesn't want anyone who visits his website to enter an email
> address like www.me at mydomain.com.
> So, I have two checks to validate the email entered by the user. Each
> check uses preg_match.
>
> Here's the pattern used for the first match:
> '/^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$/i',
>
> Then the email goes through a second check: ( preg_match('/^www\./',
> trim($_POST['email'])) )
>
> Somehow someone managed to sneak through an email address with a www
> at the beginning and I'm a bit puzzled as to how they managed to do
> it. Is it possible that they entered some sort of non-printable
> character, like a character with an ASCII value less than 33, which
> would foil the data check? Or is it something obvious that I'm
> overlooking?
>
> Jeff Siegel
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk




More information about the talk mailing list