Hello everyone,
I've read enough about email validation to know that the only real
validation is having a user respond to a confirmation message you've
sent them. However, I want to store the address temporarily, so I want
to make sure what is entered is safe to work with. I have a basic
understanding of regexps, so I could write one that checks for a simple
format like: something followed by @ followed by something followed by
.. followed by something. I can also make a good guess at understanding
the regexps I come across in validation schemes people have posted.
However, each scheme that is posted seems to get criticized for
invalidating some esoteric, but valid, addresses.
I'm wondering if there is a minimum validation you can do that will
prevent basic attacks like sql injection attacks. For example, if I
weed out anything with single and double quotes, and semicolons, am I
barring some people unnecessarily? Seems like you'd be trying to mess
with people by putting a semicolon in your email address.
I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.
7  3035  e_*******@hotma il.com wrote:
Hello everyone,
I've read enough about email validation to know that the only real
validation is having a user respond to a confirmation message you've
sent them. However, I want to store the address temporarily, so I want
to make sure what is entered is safe to work with. I have a basic
understanding of regexps, so I could write one that checks for a simple
format like: something followed by @ followed by something followed by
. followed by something. I can also make a good guess at understanding
the regexps I come across in validation schemes people have posted.
However, each scheme that is posted seems to get criticized for
invalidating some esoteric, but valid, addresses.
I'm wondering if there is a minimum validation you can do that will
prevent basic attacks like sql injection attacks. For example, if I
weed out anything with single and double quotes, and semicolons, am I
barring some people unnecessarily? Seems like you'd be trying to mess
with people by putting a semicolon in your email address.
I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.
You can do this validation in JavaScript but a hacker will know how to
turn JavaScript off or otherwise send data to your server. No matter
what test you decide on, you will have to repeat this test on the
server.
Peter e_*******@hotma il.com said:
>I'm wondering if there is a minimum validation you can do that will
prevent basic attacks like sql injection attacks. For example, if I
weed out anything with single and double quotes, and semicolons, am I
barring some people unnecessarily? Seems like you'd be trying to mess
with people by putting a semicolon in your email address.
I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.
"Every layer helps" sounds good, but isn't really true.
Testing for the same violation twice doesn't make you more likely
to catch it. Client-side validation adds nothing at all to
protect you if you also have server-side validation in place.
The only valid purpose for client-side validation is for the
convenience of the user, to let them know immediately if they've
accidentally entered bad data. Having them enter their address
twice is probably good enough for that. If they mistype it wrong
twice, let them wait to find out about their mistake from your
server-side code.
Consider also that the malicious user can look at your client-side
code to see what you have, and have not, thought of, increasing his
chances of defeating your server-side validation.
-- e_*******@hotma il.com wrote:
I know there are other steps to take in preventing attacks. Every
layer helps, though, so I'd like to do some reasonable email validation.
Your best bet is to do simple validation on the client-side.
For example, you could limit it to 64 characters. Require that there
is an @ sign.
Then, on the server side, use prepared statements to store the email
address, as that will help protect against sql injection.
If you want to be more paranoid, on the server-side, just randomly
generate a number. Append that to the start of the email address, then
do XOR on the rest of the string, where the first letter (randomly
generated) is XORd with the second, the second with the third, and so
on.
This would help change the string enough to where the attack would
fail, as the hacker has no idea what you use on the server for the XOR.
Good luck. :)
Thank you! That clarifies my thinking about client-side validation. I
appreciate it.
Eric
e_*******@hotma il.com wrote:
I've read enough about email validation to know that the only real
validation is having a user respond to a confirmation message you've
sent them.
Yes. A syntactically valid address may not exist.
However, I want to store the address temporarily, so I want to make
sure what is entered is safe to work with.
How does validation help with that? A valid e-mail address that, if used
as-is, may play havoc with a SQL statement is still valid. What would
you tell the user? "Sorry, but your e-mail address would break my
database?" That's hardly reasonable.
What you need to focus on is making a valid address safe, not limiting
what is considered valid. The address will be included in SQL statements
as a quoted literal, yes? So, only other quotes should cause problems
and these can be escaped (two consecutive quotes, or a preceding
backslash, depending on DBMS).
The API for your database client library should include a function that
will escape input such that it won't interfere with an SQL statement.
Some query functions may avoid SQL injection by separating parameters
from the SQL statement itself, thereby preventing values from altering
the structure of that statement. The documentation for your DBMS will
provide more information.
[snip]
Mike e_*******@hotma il.com wrote:
Thank you! That clarifies my thinking about client-side validation. I
appreciate it.
Eric
You can totally avoid SQL injection by using a PreparedStateme nt
(If you have the advantage of being able to use Java and JDBC)
I have read about prepared statements and escaping input, but have not
done that coding yet. I'll ask in the appropriate groups if I have
questions when I get to that point. Thanks again everyone, this really
helps to clarify what I should and should not be doing client-side.
Eric
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Marlon |
last post by:
How can modify this expression
\w+(\w+)*@\w+(\w+)*\.\w+(\w+)*
to validate multiple email address separator by comma and/or semicolon
e.g. someone@somedomain.com;someone2@somedomain.com
|
by: VbUser25 |
last post by:
Hi
Please suggest i think i am doing something wrong. I am calling fucntion
test from another function where i am performing all the validations.I
want to validate the email id.
this is the main function where i perform all sort of mandatory
validation==>
if (document.f.repemail.value != ""){
if(test(document.f.repemail.value=false)) {
|
by: Jim Dornbush |
last post by:
Has anyone seen an updated regex expression from Microsoft for the email
validation expression so that single quotes are allowed?
I've been using the canned regex for emails, but recently been informed by a
customer that the single quote is allowed as part of the email address (Mr.
O'Leary).
I prefer using the un-modified version from the...
|
by: roohbir |
last post by:
Hello,
I need help with the following code. Would be very grateful for
comments.
I have a function called emailValid, and it is supposed to alert the
user if h/she leaves the field blank. I want to run this function
before the ComputeCost function but don't know how to go about doing
it.
Thanks in advance.
Roohbir
|
by: ll |
last post by:
Hi,
I currently am using the following regex in js for email validation,
in which the email addresses can be separated by commas or
semicolons. The problem, however, lies in that I can type two emails
(as a run-on, with no comma or semicolon), and as long as it ends in a
three character domain, it is accepted as valid.
I wonder if there...
| | |
by: vimal.424 |
last post by:
Hello guys........
please tell me .............
I want to do email validation like i have a userid entered by user new
user.so problem is that i have to do the validation when i'll click on
save button b'coz userid should be unique.....
|
by: shwethatj |
last post by:
My problem is lik this ,
I am trying to create a registration form using javascript for a HR website , but i dont know how to provide password validation i.e the password and confirmation password entered by the user should match ...and also email validation i.e email id entered by user should be in correct format ... i know how to do using php...
|
by: curi444 |
last post by:
How can i improve email validation in the code below?
<?php
$con = mysql_connect("localhost", "root", "");
if(isset($_POST))
{
$name=$_POST;
$address=$_POST;
$phno=$_POST;
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it. ...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |
