如何使用正则表达式在javascript中验证PHP电子邮件注入的电子邮件地址?
[英]How to validate an e-mail address against php e-mail injection in javascript using regex?
问题描述
I want to avoid the occurrence of an % sign in the e-mail adress. 
我想避免在电子邮件地址中出现%符号。
So the user does not add additional headers to the e-mail. 因此,用户不会向电子邮件添加其他标头。
However I am totally overwhelmed with regex and cannot find the solution. 但是我对正则表达式完全不知所措,无法找到解决方案。
So far I have 到目前为止我有
/[%]+/
But in my whole code this does validate an e-mail adress like
test@example.com% as true.
但在我的整个代码中,这确实验证了像
test@example.com%这样的电子邮件地址。
This was due to Firefox and Chrome having an internal e-mail check whan specifying type="email" for the input !!! 这是因为Firefox和Chrome有一个内部电子邮件检查,为input指定type="email" !
function validateEmail(sEmail) {
var filter = /^[a-z0-9]+([-._][a-z0-9]+)*@([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,4}$/;
filter2 = /^(?=.{1,64}@.{4,64}$)(?=.{6,100}$).*/;
filter3 = /[%]+/
if (filter.test(sEmail) && filter2.test(sEmail) && !filter3.test(sEmail)) {
return true;
} else {
return false;
}
}
Btw. 顺便说一句。 since I am totally unable to write this myself so far, I found two solutions, which I am not sure which one is better. 因为到目前为止我完全无法自己写这个,所以我找到了两个解决方案,我不确定哪个更好。 The upper one (1) or 2: 上面的一个(1)或2:
/^([\w-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/
What do you think? 你怎么看?
2 个解决方案
解决方案1
2 2013-11-29 18:16:33
You shouldn't be using regular expressions to prevent against injection. 您不应该使用正则表达式来防止注入。 Instead use a prepared sql statement: 而是使用准备好的sql语句:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
解决方案2
1 2013-11-29 18:17:03
I wouldn't use regex unless you fully understand what a valid email address is. 除非您完全了解有效的电子邮件地址,否则我不会使用正则表达式。 Instead, you should parameterize all values so that even if malicious code is inserted, it'll just treat it as a string. 相反,您应该参数化所有值,以便即使插入恶意代码,它也只会将其视为字符串。 See OWASP: 见OWASP:
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
I see that you changed the question. 我看到你改变了问题。 You're actually interested in fixing PHP email header injection. 您实际上对修复PHP电子邮件头注入感兴趣。 This is considerably more complex than simply filtering out a single character in email addresses. 这比简单地过滤掉电子邮件地址中的单个字符要复杂得多。 You need to check to see if hackers/bots are trying to inject multipart/form data (especially newline/carriage returns which delimit header from body of a multipart message), manipulate form and session variables, and filter names and other fields (which shouldn't contain special characters). 您需要检查黑客/机器人是否正在尝试注入多部分/表单数据(尤其是换行/回车,它从多部分消息的主体分隔标题),操纵表单和会话变量,以及过滤名称和其他字段(不应该不包含特殊字符。
Email address filtering just isn't sufficient to prevent attacks. 电子邮件地址过滤不足以防止攻击。 The machine itself needs to be properly configured as well. 机器本身也需要正确配置。 Follow this guide to do what you can to secure against php injection (includes examples for filtering out newlines and for software configuration): http://static.askapache.com/pdf/xss-csrl-injection.pdf 按照本指南执行操作以防止php注入(包括过滤换行和软件配置的示例): http : //static.askapache.com/pdf/xss-csrl-injection.pdf
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.