Re: preg_match to detect \r\n - doesn't work

Rik wrote:
Chuck Anderson wrote:
Rik wrote:
Chuck Anderson wrote:

If I enter "subject\r\n" in the text field and click "Send Mail" the
output is:

subject = subject\\r\\n
subject_match = 0

..... I don't get it?! Shouldn't that be a match?

The string '\r\n' != "\r\n"....

Okay, ... ... but I don't follow you. How does that apply?

Isn't that how someone would inject extra headers - by entering
\r\nbcc:.... (for instance)?

How do I detect that?

They are not typing \r\n in that case. The \r and \n are a carriage
return/line feed characters. You probably cannot test this in your form, as
in a normal text input you cannot enter these characters (in a textarea you
can BTW). They can send POST data to your server without using the form
though, which is how they're able to send this newline characters.

To test this, you can either go through a lot of trouble trying to post
this to your script, but I'd go for the easy approach, make a string with a
newline in it and test this directly:

$string = "foo\r\nbar";
//or
$string = 'foo
bar';

And then check wether this string passes or not. It's not worth your effort
to mimique an evil post :-)

Okay, thanks. I get it now. What baffled me was just that. If I tested by using:
$subject = "This is the Subject\r\n";
Then preg_match('`[\r\n]`',$_POST['subject']) matched. If it was POSTed from a text field in a form it would not.

The host I'm with actually uses Apache mod_security to disallow the string cc: to appear in *any* POST variable. But I want to make sure my scripts are secure regardless of that. (I also think that's a bit of annoying overkill.)

Thanks for shedding some light on that \r\n thing for me.

(I'm going to start another thread, but what got me going on this is that someone has started using my contact form to send spam to me - and me alone. I am tracking the usage of my script closely and I can see that they are not even trying to use it as an open emailer. But still, ..... it's a bit annoying.)

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
.

Relevant Pages

  • Re: bash scripting problem : $@ vs $1
    ... I can think of a very good reason why you would want a script to receive ... If i could get the string with the glob ... characters in tact, then I could do my sanity check on a string of not ...
    (alt.os.linux)
  • Re: Text parsing via regex
    ... I need to write a simple script that parses some arbitrarily long ... words (but ultimately every parsed string should be 50 characters, ...
    (comp.lang.python)
  • Re: Text parsing via regex
    ... I need to write a simple script that parses some arbitrarily long ... words (but ultimately every parsed string should be 50 characters, ...
    (comp.lang.python)
  • Re: preg_match to detect - doesnt work
    ... Okay, ... ... in a normal text input you cannot enter these characters (in a textarea you ... which is how they're able to send this newline characters. ... this to your script, but I'd go for the easy approach, make a string with a ...
    (comp.lang.php)
  • Problem with mod_rewrite and replacing spaces in URL
    ... I'm trying to convert a script to use friendly URLs, ... but it's not the format I want and there are other characters I'd like ... function text2url($string){ ... It converts spaces to hyphens, but within a browser it fails. ...
    (comp.lang.php)