Page 2 of 2

Re: preventing header injection

Posted: Mon Mar 16, 2009 1:55 pm
by oboedrew
So it should look like this, right?

'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'

Should the D modifier be used any time a regex uses the ^ and $ boundaries?

Thanks,
Drew

Re: preventing header injection

Posted: Mon Mar 16, 2009 1:59 pm
by kaisellgren
oboedrew wrote:So it should look like this, right?

'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'

Should the D modifier be used any time a regex uses the ^ and $ boundaries?

Thanks,
Drew
Most likely yes unless you are using m modifier, which makes D to "disappear".

Re: preventing header injection

Posted: Mon Mar 16, 2009 2:12 pm
by oboedrew
Understood. Thanks for all the help, Kai!

Cheers,
Drew

Re: preventing header injection

Posted: Mon Mar 16, 2009 4:47 pm
by Benjamin
kaisellgren wrote:The modifier D makes the $ character to match the very end of the subject. Otherwise, it won't.
Are you saying that:

Code: Select all

 
$x = "hello\n";
 
// this would match $x
preg_match('#^hello$#'); 
 
// while this wouldn't?
preg_match('#^hello$#D'); 
 

Re: preventing header injection

Posted: Mon Mar 16, 2009 4:53 pm
by kaisellgren
In that code, the former matches while ladder does not.

Re: preventing header injection

Posted: Mon Mar 16, 2009 4:59 pm
by Benjamin
I didn't realize that. I usually trim everything anyway. Good to know :)

Re: preventing header injection

Posted: Mon Mar 16, 2009 5:02 pm
by kaisellgren
astions wrote: I usually trim everything anyway.
I usually have one space in front of my password... :/

Re: preventing header injection

Posted: Mon Mar 16, 2009 5:07 pm
by Benjamin
Well you'll still be able to login. I'll trim it on the login form too :lol:

Re: preventing header injection

Posted: Mon Mar 16, 2009 5:12 pm
by kaisellgren
astions wrote:Well you'll still be able to login. I'll trim it on the login form too :lol:
Kai.has_noscript_extension = true; :)

Re: preventing header injection

Posted: Mon Mar 16, 2009 5:15 pm
by Benjamin
It's trimmed server side.

Re: preventing header injection

Posted: Mon Mar 16, 2009 5:56 pm
by kaisellgren
astions wrote:It's trimmed server side.
Oh, I thought you meant you use JS to trim ("I'll trim it on the login form too").

Well, then it's even worse :P