preventing header injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

oboedrew
Forum Commoner
Posts: 78
Joined: Fri Feb 20, 2009 1:17 pm

Re: preventing header injection

Post by oboedrew »

So it should look like this, right?

'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'

Should the D modifier be used any time a regex uses the ^ and $ boundaries?

Thanks,
Drew
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: preventing header injection

Post by kaisellgren »

oboedrew wrote:So it should look like this, right?

'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'

Should the D modifier be used any time a regex uses the ^ and $ boundaries?

Thanks,
Drew
Most likely yes unless you are using m modifier, which makes D to "disappear".
oboedrew
Forum Commoner
Posts: 78
Joined: Fri Feb 20, 2009 1:17 pm

Re: preventing header injection

Post by oboedrew »

Understood. Thanks for all the help, Kai!

Cheers,
Drew
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: preventing header injection

Post by Benjamin »

kaisellgren wrote:The modifier D makes the $ character to match the very end of the subject. Otherwise, it won't.
Are you saying that:

Code: Select all

 
$x = "hello\n";
 
// this would match $x
preg_match('#^hello$#'); 
 
// while this wouldn't?
preg_match('#^hello$#D'); 
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: preventing header injection

Post by kaisellgren »

In that code, the former matches while ladder does not.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: preventing header injection

Post by Benjamin »

I didn't realize that. I usually trim everything anyway. Good to know :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: preventing header injection

Post by kaisellgren »

astions wrote: I usually trim everything anyway.
I usually have one space in front of my password... :/
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: preventing header injection

Post by Benjamin »

Well you'll still be able to login. I'll trim it on the login form too :lol:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: preventing header injection

Post by kaisellgren »

astions wrote:Well you'll still be able to login. I'll trim it on the login form too :lol:
Kai.has_noscript_extension = true; :)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: preventing header injection

Post by Benjamin »

It's trimmed server side.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: preventing header injection

Post by kaisellgren »

astions wrote:It's trimmed server side.
Oh, I thought you meant you use JS to trim ("I'll trim it on the login form too").

Well, then it's even worse :P
Post Reply