Page 1 of 1
Validation of text field
Posted: Tue Jul 29, 2008 4:44 am
by matthijs
What validation rules and/or regex would you use for validation of a text field in a contact form, used in the body of an email?
I've used the function below but it's a bit too restrictive (not allowing strange characters like umlaut etc).
Code: Select all
function isValidString($value) {
$stringpattern = '/^[a-z0-9()\/\'":\*+|,.\t\n\r; \- !?&#$@]{2,2000}$/i';
if (preg_match($stringpattern, $value)) {
return TRUE;
} else {
return FALSE;
}
}
Maybe I should just use ctype_print?
Re: Validation of email text field
Posted: Tue Jul 29, 2008 4:57 am
by jaoudestudios
Try this...it does a regx check and pings the inbox to check to make sure the email account actually exists!
http://www.forum.jaoudestudios.com/view ... ?f=13&t=48
Re: Validation of text field
Posted: Tue Jul 29, 2008 5:39 am
by matthijs
Hi, thanks for your reply. Reading your answer I realize my subject title was not very clear. What I mean is that it's about a normal text field ("your message") in which all normal text characters should be allowed. The data of that text field is being used as the body of an email sent after successfully filling in the contact form.
I could of course limit the validation to only the length of the message (say 5 - 1000 characters), but I wondered if there's other validation I should do.
Re: Validation of text field
Posted: Wed Jul 30, 2008 4:53 am
by GeertDD
I wouldn't validate each and every character. You would have to use a huge character class in order not to block valid messages. Just check the length and if you are using the php mail() function watch out for a
header injection.
Re: Validation of text field
Posted: Wed Jul 30, 2008 5:34 am
by jaoudestudios
If you need a php mail class that removes any header injection, here is a great one that I use...
http://www.forum.jaoudestudios.com/view ... ?f=13&t=13
Re: Validation of text field
Posted: Wed Jul 30, 2008 8:31 am
by matthijs
GeertDD wrote:I wouldn't validate each and every character. You would have to use a huge character class in order not to block valid messages. Just check the length and if you are using the php mail() function watch out for a
header injection.
Ok, thanks. I might just keep it at a length check then. The text from the message field is used in the body of the mail (using the mail() function) so no email header injection there as far as I know.
Re: Validation of text field
Posted: Wed Jul 30, 2008 9:37 am
by jaoudestudios
I think headers can still be injected.
Re: Validation of text field
Posted: Thu Jul 31, 2008 3:11 pm
by matthijs
jaoudestudios wrote:I think headers can still be injected.
In the body of the mail() function? Are you sure?
Re: Validation of text field
Posted: Thu Jul 31, 2008 4:02 pm
by omniuni
Really, an eMail is just a bunch of text, where the headers are a few lines at the top of the mail that give it special information. If you put the right context in an eMail, especially if it's a text eMail, you can fool an eMail client into doing something other than what the form was intended for.
Re: Validation of text field
Posted: Fri Aug 01, 2008 3:56 am
by matthijs
You guys have to show some concrete examples. I've dealt with the whole email injection issue some time ago so am aware of the problem. The securephp wiki had a good page about it, showing possible ways of injection. Unfortunately that page is down at the moment.
Can you guys show some code in which the body of the mail() function is exploited? And what regex/validation rule would you use then? Many of the filters that are shown to prevent the injection search for newlines. But in a text field used for the body of the mail function you don't want to strip or disallow newlines. I mean, if you would do that you would't be able format a normal email message using multiple paragraphs.