Validation of text field

Any questions involving matching text strings to patterns - the pattern is called a "regular expression."

Moderator: General Moderators

Post Reply
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Validation of text field

Post by matthijs »

What validation rules and/or regex would you use for validation of a text field in a contact form, used in the body of an email?
I've used the function below but it's a bit too restrictive (not allowing strange characters like umlaut etc).

Code: Select all

 
function isValidString($value) {
    $stringpattern = '/^[a-z0-9()\/\'":\*+|,.\t\n\r; \- !?&#$@]{2,2000}$/i';
    if (preg_match($stringpattern, $value)) {
            return TRUE;
    } else {
            return FALSE;
    }
}
 
Maybe I should just use ctype_print?
Last edited by matthijs on Tue Jul 29, 2008 5:36 am, edited 1 time in total.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Validation of email text field

Post by jaoudestudios »

Try this...it does a regx check and pings the inbox to check to make sure the email account actually exists!
http://www.forum.jaoudestudios.com/view ... ?f=13&t=48
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Validation of text field

Post by matthijs »

Hi, thanks for your reply. Reading your answer I realize my subject title was not very clear. What I mean is that it's about a normal text field ("your message") in which all normal text characters should be allowed. The data of that text field is being used as the body of an email sent after successfully filling in the contact form.

I could of course limit the validation to only the length of the message (say 5 - 1000 characters), but I wondered if there's other validation I should do.
User avatar
GeertDD
Forum Contributor
Posts: 274
Joined: Sun Oct 22, 2006 1:47 am
Location: Belgium

Re: Validation of text field

Post by GeertDD »

I wouldn't validate each and every character. You would have to use a huge character class in order not to block valid messages. Just check the length and if you are using the php mail() function watch out for a header injection.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Validation of text field

Post by jaoudestudios »

If you need a php mail class that removes any header injection, here is a great one that I use...
http://www.forum.jaoudestudios.com/view ... ?f=13&t=13
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Validation of text field

Post by matthijs »

GeertDD wrote:I wouldn't validate each and every character. You would have to use a huge character class in order not to block valid messages. Just check the length and if you are using the php mail() function watch out for a header injection.
Ok, thanks. I might just keep it at a length check then. The text from the message field is used in the body of the mail (using the mail() function) so no email header injection there as far as I know.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Validation of text field

Post by jaoudestudios »

I think headers can still be injected.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Validation of text field

Post by matthijs »

jaoudestudios wrote:I think headers can still be injected.
In the body of the mail() function? Are you sure?
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Validation of text field

Post by omniuni »

Really, an eMail is just a bunch of text, where the headers are a few lines at the top of the mail that give it special information. If you put the right context in an eMail, especially if it's a text eMail, you can fool an eMail client into doing something other than what the form was intended for.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Validation of text field

Post by matthijs »

You guys have to show some concrete examples. I've dealt with the whole email injection issue some time ago so am aware of the problem. The securephp wiki had a good page about it, showing possible ways of injection. Unfortunately that page is down at the moment.

Can you guys show some code in which the body of the mail() function is exploited? And what regex/validation rule would you use then? Many of the filters that are shown to prevent the injection search for newlines. But in a text field used for the body of the mail function you don't want to strip or disallow newlines. I mean, if you would do that you would't be able format a normal email message using multiple paragraphs.
Post Reply