1

I want to avoid the occurrence of an %sign in the e-mail adress.
So the user does not add additional headers to the e-mail.

However I am totally overwhelmed with regex and cannot find the solution.

So far I have

/[%]+/

But in my whole code this does validate an e-mail adress like test@example.com% as true.
This was due to Firefox and Chrome having an internal e-mail check whan specifying type="email" for the input!!!

function validateEmail(sEmail) {
    var filter = /^[a-z0-9]+([-._][a-z0-9]+)*@([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,4}$/;
        filter2 = /^(?=.{1,64}@.{4,64}$)(?=.{6,100}$).*/;
        filter3 = /[%]+/                
        if (filter.test(sEmail) && filter2.test(sEmail) && !filter3.test(sEmail)) {
           return true;
        } else {
           return false;
        }
    }

Btw. since I am totally unable to write this myself so far, I found two solutions, which I am not sure which one is better. The upper one (1) or 2:

/^([\w-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/

What do you think?

Alex Bravo
  • 1,601
  • 2
  • 24
  • 40
loveNoHate
  • 1,549
  • 13
  • 21
  • 2
    Don't make things hard on yourself. Use prepared statements in your backend and everything is just dandy. – Ingo Bürk Nov 29 '13 at 18:15
  • Leave JS for the dummy user. Use proper validation for the server-side script. – Roko C. Buljan Nov 29 '13 at 18:15
  • 2
    Also as a general note, [don't validate e-mail adresses using regular expressions](http://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address) – Ingo Bürk Nov 29 '13 at 18:16
  • 1
    Javascript can be altered on the client side, so if you want to use it, also make the check server side as stated above. – Isaac Nov 29 '13 at 18:17
  • Eeeh, I want to thank you all! Have to go now through all you said!! :) – loveNoHate Nov 29 '13 at 18:26
  • Email addresses may contain percent signs. For instance, this is a valid email address: "()<>[]:,;@\\\"!#$%&'*+-/=?^_`{}| ~.a"@example.org – mttdbrd Nov 29 '13 at 18:26
  • I know, seems unusual to have an e-mail adress like this though. First I tried to regex for: have no percent sign after the validated e-mail adress. But then I was totally lost. ;) – loveNoHate Nov 29 '13 at 18:34

2 Answers2

2

You shouldn't be using regular expressions to prevent against injection. Instead use a prepared sql statement:

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
JDiPierro
  • 802
  • 1
  • 9
  • 28
  • This is the correct answer, but I also suggest that readers of this page check the OWASP page below for solutions to parameterizing values in other languages as well (Java, etc.). – mttdbrd Nov 29 '13 at 18:27
  • Wait, can I use this without using a SQL table? Can you give the whole code from the `$_POST` on, please? Thank you!! – loveNoHate Nov 29 '13 at 18:39
  • Ok, I think I put the question wrong. I just want to avoid additional headers in the sent e-mail. – loveNoHate Nov 29 '13 at 18:52
1

I wouldn't use regex unless you fully understand what a valid email address is. Instead, you should parameterize all values so that even if malicious code is inserted, it'll just treat it as a string. See OWASP:

https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet

I see that you changed the question. You're actually interested in fixing PHP email header injection. This is considerably more complex than simply filtering out a single character in email addresses. You need to check to see if hackers/bots are trying to inject multipart/form data (especially newline/carriage returns which delimit header from body of a multipart message), manipulate form and session variables, and filter names and other fields (which shouldn't contain special characters).

Email address filtering just isn't sufficient to prevent attacks. The machine itself needs to be properly configured as well. Follow this guide to do what you can to secure against php injection (includes examples for filtering out newlines and for software configuration): http://static.askapache.com/pdf/xss-csrl-injection.pdf

mttdbrd
  • 1,791
  • 12
  • 17
  • 1
    … and when you so much as vaguely understand what a valid email adress is, you certainly won't go for using regular expressions anymore anyway. – Ingo Bürk Nov 29 '13 at 18:17
  • Exactly. There are some bizarre things that are valid email addresses. – mttdbrd Nov 29 '13 at 18:19
  • @IngoBürk I think I put the question wrong. How can I avoid additional headers in the sent e-mail? Thank you!! – loveNoHate Nov 29 '13 at 18:53
  • I changed my answer to reflect your new question. Would you mind taking a look to see if it answers your question? – mttdbrd Dec 03 '13 at 20:58