preventing header injection
Moderator: General Moderators
Re: preventing header injection
So it should look like this, right?
'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'
Should the D modifier be used any time a regex uses the ^ and $ boundaries?
Thanks,
Drew
'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'
Should the D modifier be used any time a regex uses the ^ and $ boundaries?
Thanks,
Drew
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: preventing header injection
Most likely yes unless you are using m modifier, which makes D to "disappear".oboedrew wrote:So it should look like this, right?
'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'
Should the D modifier be used any time a regex uses the ^ and $ boundaries?
Thanks,
Drew
Re: preventing header injection
Understood. Thanks for all the help, Kai!
Cheers,
Drew
Cheers,
Drew
Re: preventing header injection
Are you saying that:kaisellgren wrote:The modifier D makes the $ character to match the very end of the subject. Otherwise, it won't.
Code: Select all
$x = "hello\n";
// this would match $x
preg_match('#^hello$#');
// while this wouldn't?
preg_match('#^hello$#D');
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: preventing header injection
In that code, the former matches while ladder does not.
Re: preventing header injection
I didn't realize that. I usually trim everything anyway. Good to know 
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: preventing header injection
I usually have one space in front of my password... :/astions wrote: I usually trim everything anyway.
Re: preventing header injection
Well you'll still be able to login. I'll trim it on the login form too 
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: preventing header injection
Kai.has_noscript_extension = true;astions wrote:Well you'll still be able to login. I'll trim it on the login form too
Re: preventing header injection
It's trimmed server side.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: preventing header injection
Oh, I thought you meant you use JS to trim ("I'll trim it on the login form too").astions wrote:It's trimmed server side.
Well, then it's even worse