validating names for all locale

Any questions involving matching text strings to patterns - the pattern is called a "regular expression."

Moderator: General Moderators

Post Reply
timgolding
Forum Newbie
Posts: 14
Joined: Tue Jul 24, 2007 9:02 am

validating names for all locale

Post by timgolding »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi I am absolutley tearing my hear out. One of my sites has been hacked and it was basically because I wasn't validating some user input variables that were being used as part of the subject and body parameters of the php mail function. The variable itself represents the NAME of the user 

Here is a regex I created that will work for english names.

Code: Select all

$text='Ti\'m Golding 32';
	$regex="^[[:"."alnum:][:"."space:],.—'\"-]*$";
	if (ereg($regex, $text))
		echo ' match ';
		
	else
		echo 'no match ';
However since this is an international site this validation is not good enough.
How can I validate for any locale. I just want to strip anything that could be dangourous and accept any punctiated name from any country.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There's nothing inherantly dangerous in a name. It's likely in how you are using it that got you into security hole territory.
timgolding
Forum Newbie
Posts: 14
Joined: Tue Jul 24, 2007 9:02 am

Post by timgolding »

well its going in the subject field of the email therefore someone can put additional email header information, which is what they did and then used my server to CC hundreds of porn emails to many recipients
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I would suggest you use a fairly well tested emailing library, such as Swift Mailer instead.

You can find it via our forum index (at the bottom.)
Post Reply