Page 1 of 1

validating names for all locale

Posted: Fri Sep 21, 2007 9:11 am
by timgolding
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi I am absolutley tearing my hear out. One of my sites has been hacked and it was basically because I wasn't validating some user input variables that were being used as part of the subject and body parameters of the php mail function. The variable itself represents the NAME of the user 

Here is a regex I created that will work for english names.

Code: Select all

$text='Ti\'m Golding 32';
	$regex="^[[:"."alnum:][:"."space:],.—'\"-]*$";
	if (ereg($regex, $text))
		echo ' match ';
		
	else
		echo 'no match ';
However since this is an international site this validation is not good enough.
How can I validate for any locale. I just want to strip anything that could be dangourous and accept any punctiated name from any country.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Fri Sep 21, 2007 9:45 am
by feyd
There's nothing inherantly dangerous in a name. It's likely in how you are using it that got you into security hole territory.

Posted: Fri Sep 21, 2007 9:48 am
by timgolding
well its going in the subject field of the email therefore someone can put additional email header information, which is what they did and then used my server to CC hundreds of porn emails to many recipients

Posted: Fri Sep 21, 2007 9:54 am
by feyd
I would suggest you use a fairly well tested emailing library, such as Swift Mailer instead.

You can find it via our forum index (at the bottom.)