Email Validation Broken; Accepts .cop as Valid

Question

mattyd 89 Posting Maven

10 Years Ago

I am working with a form validation script; I am testing it first and all seems to work fine except for the email validation.

This is a snippet of the script dealing with the email validation:

else if(! eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email ))
    {
        $_SESSION['reg']['email']="Please enter valid email address.";

For example, if a User enters the following in the email field, an error message is displayed, obviously: test1

If they enter test1@, an error is displayed.

If they enter test1@gmail.c an error is displayed.

But...

If they enter test1@gmail.co OR, for example, test1@gmail.cop it is validated as true - No error message displayed.

This makes absolutely no sense to me.

This is from that snippet, specifically handling User input of their email address

("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})

I am not familiar with the above at all and am not sure what to do to remedy this issue.

You can view and try this live if you wish: http://www.redlinedown.com/jQuery/registration/index.php

Thank you in advance for any help!

Matthew

php

4 Contributors
3 Replies
234 Views
2 Hours Discussion Span
Latest Post 10 Years Ago Latest Post by cereal

phorce 131 Posting Whiz in Training

10 Years Ago

I believe, from what I can see is that the validation requires a . followed by between two or three characters (\.[a-z]{2,3}) so email addresses like: test1@gmail.com would valid true, whereas email addresses containing a . with only one character, would throw up an error.

There are some pre-built functions: http://www.php.net/manual/en/filter.examples.validation.php which would filter this information for you.

Hope this answers your question, slightly.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

JorgeM 958 Problem Solver Team Colleague Featured Poster · Answer 1 · 2014-02-26T14:45:19+00:00

You validation rule is working as expected. As mentioned by phorce, this part of the rule (\.[a-z]{2,3}) indicates that a period is required and then 2 or three characters are required and the characters that are acceptable are from lowercase a-z. So an email address ending in gmail.co is definately acceptable. There are two and three letter top level domains out there so this rule seems appropriate to me. If you only want to allow certain top level domains then your rule would have to be modified to something like this (off the top of my head here...) \.(co|com|net|org|etc)

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 2 · 2014-02-26T15:04:15+00:00

In addition: the eregi() function is weak, an attacker can submit extra code by using a null byte character. For example:

<?php

    $email = $_GET['email'];

    if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email))
    {
        echo "<strong>$email</strong> is correct";
    }
    else
    {
        echo "<strong>$email</strong> is wrong";
    }

And submit these links:

# first
http://localhost/test.php?email=my@mail.co

# second
http://localhost/test.php?email=my@mail.co%20,another@mail.co

# third
http://localhost/test.php?email=my@mail.co%00,another@mail.co

The first will return true as expected, the second false as expected because we are trying to submit two mails at the same time, the third instead will return true and will allow to insert two emails instead of one.

More information:

http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection

Bye!