#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    39
    Rep Power
    0

    String validation


    Ok, how can I use str_replace to do the following.

    First of all, I am going to pass a string in a random
    value, for example the url will pass:
    Code:
    something=nothing&Mns=myemail@domain.comPf
    the
    Code:
    Mns
    may change (I will make sure the code changes too)
    and the
    Code:
    Pf
    after the domain may change (again I will make sure the code changes).

    What I need to do is check if the Pf part of the string is at the end of the value of
    PHP Code:
    $_REQUEST['Mns'
    and that the string before it 'myemail@domain.com' is a valid email address syntax (maybe even going as far as checking the domain name is valid)
    I am sure str_replace cannot check if the email is valid, so if you know of a way to do that, I would be very appreciative.


    I have been playing with this but to no avail.
    can you tell me how to do this?
    I can do it easily in Perl, but am too Php challenged to pull it off in Php.

    Thank you in advance for any help you can be.
    Rich
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    39
    Rep Power
    0

    maybe...


    Ok, maybe I am going at it all wrong, maybe it has nothing to do with str_replace...

    Just thinking out loud, sorry.
    Rich
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    39
    Rep Power
    0
    Ok, I think preg_match may be the way to validate the end of the string contains the data I want it to have, but now I need to know how to remove it from the string and check the rest of it for a valid email address to make sure it came from an email I sent them and was not from an un-authorized source.

    can you let me know how to do it?
    Thank you.
    Rich
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Hi,

    why do you use this weird approach with the email address glued together with "something"? Why don't you put the "something" into its own parameter? That would make things much easier.

    Also note that PHP has a filter function built-in (with support for checking email addresses):

    http://php.net/manual/en/function.filter-var.php
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    You can use substr to separate the email address and the ending thingy, provided the length of the ending thing is always the same.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    39
    Rep Power
    0
    Originally Posted by E-Oreo
    You can use substr to separate the email address and the ending thingy, provided the length of the ending thing is always the same.
    Ok, I went and read the whole thread on substr...

    I don't see how to get everything except the last two characters...

    email addresses are unique, some are short, some are long.
    so I don't know the length of it.

    I suppose I could do it the long way, get the length, then get everything from 0 to length-2...
    but is there an easier way?

    thx,
    Richard

    BTW, I am doing it like this because I am going to change it up for security. This is something one script creates and then another reads, so this way, if someone tries to just steal something and they access it, they won't know what that page is looking for. I know anyone willing to spend time on it, will figure it out, I am just trying to stop the majority of common people from seeing they can pass a link around.
    If they pass it around with their email address in it, then I will know who passed it around. So the email address is sort of like a key, the characters on the end of the email address tell me something about the email address, so if they change the email and the two characters are the same, it may or may not match. if it does not match, the I know they do not have permission to access the page.

    I am working on making it completely different, this is just a temporary fix while I work on the bigger solution.

    Thanks again.
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Simply generate a random key and pass it via a URL parameter. If it's long enough (and truly random), this is a pretty secure approach -- but not as secure as a fully-featured login system, of course.

    Using the email address doesn't add a lot of security, and it's kind of problematic to send the email address around with every request.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    39
    Rep Power
    0
    Originally Posted by Jacques1
    Simply generate a random key and pass it via a URL parameter. If it's long enough (and truly random), this is a pretty secure approach -- but not as secure as a fully-featured login system, of course.

    Using the email address doesn't add a lot of security, and it's kind of problematic to send the email address around with every request.
    If the user uses it only for themselves, then it is fine.
    That is what I want. I just don't want them emailing the link around to others.

    Richard
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    I understand what you're trying to do. The random key does exactly that, but it's more secure and less problematic with regard to privacy than using the email address + 2 random characters.

    The only reason why the email address might make sense is purely psychological: Seeing your address in the link is kind of more impressive than an abstract key, so users with little technical knowledge might be more hesistant with sharing the link. But technically, a key identifies a user just as well as the email address.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2004
    Posts
    39
    Rep Power
    0
    Originally Posted by Jacques1
    I understand what you're trying to do. The random key does exactly that, but it's more secure and less problematic with regard to privacy than using the email address + 2 random characters.

    The only reason why the email address might make sense is purely psychological: Seeing your address in the link is kind of more impressive than an abstract key, so users with little technical knowledge might be more hesistant with sharing the link. But technically, a key identifies a user just as well as the email address.
    That makes since, but the problem is that the email that goes out with access is done by Send Pepper, so I cannot control the programming to create a key that my webpage can access. I can only create the key behind the email address for now.

    I am working on an upgrade that will auto-create the membership site to give them access automatically.

    anyhow, can you tell me how to get the email from the value with the two extra characters?
    thx
    Richard
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Originally Posted by ukndoit
    anyhow, can you tell me how to get the email from the value with the two extra characters?
    substr() with a negative length. The manual even has an example for that:
    http://php.net/manual/en/function.su...p#example-4738
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo