tags:

views:

40

answers:

2
+1  Q: 

Concerns regarding potential Regex misuse?

Hi,

I have the following regex: ^[a-zA-Z](.*)[a-zA-Z]$ on both the Javascript and PHP side that I have been using for validating a person's name and message fields on a contact form (no database interaction). It basically ensures that the first and last character in the field are alphabets, and allows anything else in-between.

My concerns are:

  1. For this type of functionality, should I be bothered with trying to validate a person's name or message? The only thing I am validating or rather protecting against is any malicious input.
  2. I'm unsure what type of attacks I could leave my site open to, if the only thing I do is check that the fields aren't empty.

Are these valid concerns? If I start catering for all types of Name and Message scenarios, I'm going to end up with a very long expression that will become too difficult to maintain...So is it really worth it, or is there a bare-minimum regex that I should use for these 2 fields to protect against malicious attacks/scripting?

(PS - I've just been reminded by one of my co-workers about names beginning with an " ! ")

THANK YOU!!

+2  A: 

Now someone named Dieter Voß can’t use your contact form anymore. That’s bad.

If you don’t have any database interaction and the data is sent to someone via e-mail or the like (as opposed to being displayed publicly on the web), then there’s not much of an security concern to protect yourself against. I’d recommend simply doing no check at all. (Except maybe whether the fields are empty.)

Disclaimer: Without knowing about the rest of the code, any statements about possible security implications can possibly be wrong.

Scytale  2010-08-11 23:06:25
I would at least run it through `htmlentities` even if it's not going in the database. Sending it through email could introduce a XSS vulnerability against a user with __administrator__ access.
aaronasterling  2010-08-11 23:12:26
Using htmlentities() when sending a plain-text mail is not improving anything. When talking about HTML mails you’re right, of course.Speaking of sending a mail, even in plain-text messages you should probably use a tested library like PHPMailer (which has a neat “lite” version) instead of simply calling mail() or the like.
Scytale  2010-08-11 23:19:09
@aaronasterling, That's just proper escaping (just like with escaping SQL). Of course he'd do it. (Right?)
strager  2010-08-11 23:19:43
thanx guys! I'm using the PHP PEAR Mail class (http://pear.php.net/Mail/) which allows me to send the same email out as both text and HTML. So yeah, will definitely be looking into `htmlentities()` over `htmlspecialchars()`
Shalan  2010-08-11 23:45:19
+2  A: 
  1. For this type of functionality, should I be bothered with trying to validate a person's name or message? The only thing I am validating or rather protecting against is any malicious input.

Protecting against malicious input is different to validating that a person's name is indeed a person's name. Because people's names can be so varied (containing all sorts of characters) it may be better just to ensure that this has at least one non-whitespace character in it and be done with it. Some people have only one name, and some people have a surname that is only one letter.

  1. I'm unsure what type of attacks I could leave my site open to, if the only thing I do is check that the fields aren't empty.

Protecting against malicious input is a different problem, and it involves for example filtering the entry before it is entered into the database, but this is (probably) a job for your database abstraction or framework.

You will also have to ensure that whenever you output such data as part of an HTML page, that you use htmlspecialchars() on it. This protects against cross-site scripting (inclusion of HTML tags in what should be plain text). This is (probably) a job for your template system or view layer.

thomasrutter  2010-08-11 23:16:12
+1 thanx thomas! I agree with you on the part#1 feedback - its pointless trying to develop the holy grail of pronoun-regular-expressions. Regarding your feedback to part#2, no database CRUD ops taking place, and this is a plain an simple XHTML site (coded from scratch) that uses jquery ajax methods to post form fields to a PHP processor page, that in turn echos back a JSON response that I show on the client side. Do I still need to cater for 'htmlspecialchars()'?
Shalan  2010-08-11 23:26:49
@Shalan, Whenever you're putting non-HTML data into an HTML document or fragment, use `htmlspecialchars`. Similarly with `mysqli_real_escape_quotes`, `json_encode`, etc.
strager  2010-08-11 23:29:12

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases