Check for a set of strings in a string - pregmatch ? if so how

[Richard Townsend-Rose]

Hi

for years we checked against injection using

if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
(Content-Type)|(Content-Transfer)|(Content-Disposition)|
(boundary=)|(Return-Path)", $var ) )

i.e. we want to know if the string 0x0D and any of the other strings exist in $var. so () meant the boundary of the string, and the | character divided the given strings into an array .... i think

nowhere can i find a decent meaning of what "the word "pattern" means. nor in the manual can i find anything about delimiters

can preg_match be used ... if so how ?

thanks

richard t-r

[Christoph M. Becker]

Richard Townsend-Rose:

> for years we checked against injection using
>
> if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
> (Content-Type)|(Content-Transfer)|(Content-Disposition)|
> (boundary=)|(Return-Path)", $var ) )
>
> i.e. we want to know if the string 0x0D and any of the other strings exist in $var. so () meant the boundary of the string, and the | character divided the given strings into an array .... i think
>
> nowhere can i find a decent meaning of what "the word "pattern" means. nor in the manual can i find anything about delimiters

The introduction of the POSIX Regex extension[1] links to the regex man
page[2] where the pattern syntax is explained.

> can preg_match be used ... if so how ?

Yes, preg_match can be used. The syntax of PCRE patterns[3] is
explained in the PHP manual.

Note that there is the Filter extension[4], which is useful for input
validation and sanitizing.

[1] <http://php.net/manual/en/intro.regex.php>
[2] <http://www.tin.org/bin/man.cgi?section=7&topic=regex>
[3] <http://php.net/manual/en/pcre.pattern.php>
[4] <http://php.net/manual/en/book.filter.php>

--
Christoph M. Becker

[Richard Townsend-Rose]

Christopher ....

read all that stuff .... but still none the wiser .... as to the syntax needed. i have been writing code in ca-visual objects for 25 years, but i simply cannot fathom what is meant.

could you kindly give me a one line of syntax for preg_match, and how i interpret the result if it does not return true of false [1 or 0].

all i want to know is "are any of these strings in my variable?"

richard

[Richard Yates]

On Sun, 12 Apr 2015 06:21:51 -0700 (PDT), Richard Townsend-Rose
<richard.to...@gmail.com> wrote:

>Christopher ....
>
>read all that stuff .... but still none the wiser .... as to the syntax needed. i have been writing code in ca-visual objects for 25 years, but i simply cannot fathom what is meant.
>
>could you kindly give me a one line of syntax for preg_match, and how i interpret the result if it does not return true of false [1 or 0].

Not sure what this means since it will always return either true or
false.

>all i want to know is "are any of these strings in my variable?"

$myvariable="sddrte yhu 5u ertger y4 6 e ereter ";
$thesestrings="/ssdfs|yhucxz| ertger/";
if(preg_match($thesestrings, $myvariable)) {
echo 'match found';}
else {echo 'no match';}
// The result is 1 (true) because it found the string: ' ertger'.

[Richard Townsend-Rose]

Richard

thanks a million

so simple

thanks

richard

[Thomas 'PointedEars' Lahn]

Christoph M. Becker wrote:

> Richard Townsend-Rose:
>> for years we checked against injection using
>>
>> if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
>> (Content-Type)|(Content-Transfer)|(Content-Disposition)|
>> (boundary=)|(Return-Path)", $var ) )
>>
>> i.e. we want to know if the string 0x0D and any of the other strings
>> exist in $var. so () meant the boundary of the string, and the |
>> character divided the given strings into an array .... i think
>>
>> nowhere can i find a decent meaning of what "the word "pattern" means.
>> nor in the manual can i find anything about delimiters
>
> The introduction of the POSIX Regex extension[1] links to the regex man
> page[2] where the pattern syntax is explained.

JFTR: The ereg* set of functions, and the ERE-supporting functions in
general, are *deprecated*. This code needs to be rewritten if it is
to work with future PHP versions. Quoth the FM:

,-<http://php.net/eregi>
|
| *Warning* This function has been DEPRECATED as of PHP 5.3.0.
| Relying on this feature is highly discouraged.
|
| […]
| *Note:*
| As of PHP 5.3.0, the regex extension is deprecated in favor of the <PCRE
| extension>. Calling this function will issue an *E_DEPRECATED* notice. See
| the <list of differences> for help on converting to PCRE.
|
| *Tip*
| eregi() is deprecated as of PHP 5.3.0. <preg_match()> with the /i/
| (PCRE_CASELESS) modifier is the suggested alternative to this function.

>> can preg_match be used ... if so how ?
>
> Yes, preg_match can be used.

More like “*has* to be used instead”, except that …

> […] there is the Filter extension[4], which is useful for input

> validation and sanitizing. […]

But ISTM that the approach of using regular expressions or filters in PHP to
prevent e-mail injection is wrong in the first place. Using a well-tested
mailer like PHPMailer instead of the mail() function directly, installing
and configuring the Suhosin patch, using a *current* PHP version with
stricter configuration settings, or using stricter configuration settings
for the system mailer (e.g. sendmail) are the better alternatives. Those
can be combined, of course.

--
PointedEars
Zend Certified PHP Engineer
Twitter: @PointedEars2
Please do not cc me. / Bitte keine Kopien per E-Mail.

[Jerry Stuckle]

On 4/12/2015 12:38 PM, the pedantic troll Thomas 'Pointed Head' Lahn wrote:
> Christoph M. Becker wrote:
>
>> Richard Townsend-Rose:
>>> for years we checked against injection using
>>>
>>> if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
>>> (Content-Type)|(Content-Transfer)|(Content-Disposition)|
>>> (boundary=)|(Return-Path)", $var ) )
>>>
>>> i.e. we want to know if the string 0x0D and any of the other strings
>>> exist in $var. so () meant the boundary of the string, and the |
>>> character divided the given strings into an array .... i think
>>>
>>> nowhere can i find a decent meaning of what "the word "pattern" means.
>>> nor in the manual can i find anything about delimiters
>>
>> The introduction of the POSIX Regex extension[1] links to the regex man
>> page[2] where the pattern syntax is explained.
>
> JFTR: The ereg* set of functions, and the ERE-supporting functions in
> general, are *deprecated*. This code needs to be rewritten if it is
> to work with future PHP versions. Quoth the FM:
>

Why do you think the OP was asking about how to do this with preg_xxx
functions?

Oh, I forgot - you can't understand what is written. You can only copy
and paste. But you insist on showing your ignorance anyway.

<snip a bunch of Pointed Head's usual crap>

>
> But ISTM that the approach of using regular expressions or filters in PHP to
> prevent e-mail injection is wrong in the first place. Using a well-tested
> mailer like PHPMailer instead of the mail() function directly, installing
> and configuring the Suhosin patch, using a *current* PHP version with
> stricter configuration settings, or using stricter configuration settings
> for the system mailer (e.g. sendmail) are the better alternatives. Those
> can be combined, of course.
>

You don't remember very well, do you?

Can you point to where you found such a stupid statement? Not saying
that PHPMailer is bad - but properly filtering the input (which can be
done with regex's, among other things) also works quite well.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstu...@attglobal.net
==================

[Christoph M. Becker]

Thomas 'PointedEars' Lahn wrote:

>> Richard Townsend-Rose:
>>> for years we checked against injection using
>>>
>>> if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
>>> (Content-Type)|(Content-Transfer)|(Content-Disposition)|
>>> (boundary=)|(Return-Path)", $var ) )
>

> But ISTM that the approach of using regular expressions or filters in PHP to
> prevent e-mail injection is wrong in the first place. Using a well-tested
> mailer like PHPMailer instead of the mail() function directly, installing
> and configuring the Suhosin patch, using a *current* PHP version with
> stricter configuration settings, or using stricter configuration settings
> for the system mailer (e.g. sendmail) are the better alternatives. Those
> can be combined, of course.

I agree that it is somewhat dangerous to rely solely on regular
expressions and filters to prevent all kinds of email injection attacks.

After having had a closer look at the regex given by Richard, it occurs
to me that the code doesn't prevent header injection in the general
case. If I'm not mistaken 0x0A doesn't match a newline, and %0A has
most likely already been decoded by PHP. The further special cases will
only prevent a few attacks.

--
Christoph M. Becker

[Curtis Dyer]

Richard Townsend-Rose wrote:

> Christopher ....
>
> read all that stuff .... but still none the wiser .... as to the
> syntax needed.

You should revisit the links Cristoph provided. If you intend to
learn more about PCRE regular expressions in general, you should
search Google. I've found

<http://www.regular-expressions.info/>

useful in the past.

> i have been writing code in ca-visual objects for
> 25 years, but i simply cannot fathom what is meant.

You may want to start from the basics if you intend to learn regular
expressions. Again, try searching out tutorials dedicated to
covering regular expressions.

However, as suggested elsethread, you may find it unnecessary to
rework your existing regular expression once you've tried an
existing, well tested, PHP mail library, and have learned more about
PHP security configuration.

> could you kindly give me a one line of syntax for preg_match,
> and how i interpret the result if it does not return true of
> false [1 or 0].

If you're interested in a PHP function: Google or remember:
<http://php.net/function_name>

Where ``function_name'' would be ``preg_match,'' in this case.

The PHP manual is filled with many helpful examples.

<snip>

--
Curtis Dyer
<?$x='<?$x=%c%s%c;printf($x,39,$x,39);?>';printf($x,39,$x,39);?>