Christoph M. Becker wrote:
> Richard Townsend-Rose:
>> for years we checked against injection using
>>
>> if (eregi( "(%0D)|(%0A)|(0x0A)|(0x0D)|(MIME-Version)|
>> (Content-Type)|(Content-Transfer)|(Content-Disposition)|
>> (boundary=)|(Return-Path)", $var ) )
>>
>> i.e. we want to know if the string 0x0D and any of the other strings
>> exist in $var. so () meant the boundary of the string, and the |
>> character divided the given strings into an array .... i think
>>
>> nowhere can i find a decent meaning of what "the word "pattern" means.
>> nor in the manual can i find anything about delimiters
>
> The introduction of the POSIX Regex extension[1] links to the regex man
> page[2] where the pattern syntax is explained.
JFTR: The ereg* set of functions, and the ERE-supporting functions in
general, are *deprecated*. This code needs to be rewritten if it is
to work with future PHP versions. Quoth the FM:
,-<
http://php.net/eregi>
|
| *Warning* This function has been DEPRECATED as of PHP 5.3.0.
| Relying on this feature is highly discouraged.
|
| […]
| *Note:*
| As of PHP 5.3.0, the regex extension is deprecated in favor of the <PCRE
| extension>. Calling this function will issue an *E_DEPRECATED* notice. See
| the <list of differences> for help on converting to PCRE.
|
| *Tip*
| eregi() is deprecated as of PHP 5.3.0. <preg_match()> with the /i/
| (PCRE_CASELESS) modifier is the suggested alternative to this function.
>> can preg_match be used ... if so how ?
>
> Yes, preg_match can be used.
More like “*has* to be used instead”, except that …
> […] there is the Filter extension[4], which is useful for input
> validation and sanitizing. […]
But ISTM that the approach of using regular expressions or filters in PHP to
prevent e-mail injection is wrong in the first place. Using a well-tested
mailer like PHPMailer instead of the mail() function directly, installing
and configuring the Suhosin patch, using a *current* PHP version with
stricter configuration settings, or using stricter configuration settings
for the system mailer (e.g. sendmail) are the better alternatives. Those
can be combined, of course.
--
PointedEars
Zend Certified PHP Engineer
Twitter: @PointedEars2
Please do not cc me. / Bitte keine Kopien per E-Mail.