for security reasons i want the users on my website not to be able to register a username that resembles their email adress. Someone with email adress user#domain.com cant register as user or us.er, etc
For example i want this not to be possible:
tester -> tester#mydomain.com (wrong)
tes.ter -> tester#mydomain.com (wrong)
etc.
But i do want to be able to use the following:
tester6 -> tester#mydomain.com (good)
etc.
//edit
tester6 is wrong too. i ment user6 -> tester#mydomain.com (good).
Does anyone have an idea how to achieve this, or something as close as possible. I am checking this in javascript, and after that on the server in php.
Ciao!
ps. Maybe there is some jquery plugin to do this, i can't find this so far. The downside tho of using a plugin for this, is that i have to implement the same in php. If it is a long plugin it will take some time to translate.
//Edit again
If i only check the part before the # they can still use userhotmailcom, or usergmail, etc. If they supply that there email is abvious.
Typically, I use the Levenshtein distance algorithm to check whether a password looks like a login.
PHP has a native levenshtein function and here is one written in JavaScript.
Something like this?
var charsRe = /[.+]/g; // Add your characters here
if (username.replace(charsRe, '') == email.split('#')[0].replace(charsRe, ''))
doError();
If all you want is to disallow user names that vary from the email address only with periods (.), you can remove periods from the user name and compare it with email address.
//I don't know php - translating this pseudo code won't be hard
$email = "someone#something.com"
$emailname = $email.substring(0, $email.indexOf('#'));
$uname = "som.e.on.e";
$uname = $uname.replace(/\./g, "");//regex matching a '.' globally
if($uname === $emailname)
showInvalidNameErrorMessage();
Modified regex to prevent hyphens and underscores /[\-._]/g
Well, I am a newbie PHP developer. But the answer I have in my mind is, wouldn't it be great if you just allow them to register only with their email address (which won't be shared with others) and then ask for their first name and last name separately and only show their first name within public contents (i.e. Blogs, etc). I am not an expert in programming and if I am wrong please correct me and still I couldn't understand what you by security for you. Sorry for the bad English, I am not a native English speaker.
Related
We have a website with restricted access (only for exclusive members) coded in PHP.
On the Contact page we have a bunch of mailto links, for example:
address#domain.com
If a visitor clicks on one of the links, it does the usual stuff (opens a new email in Thunderbird with the To: field correctly filled in).
The problem is when a visitor right-clicks on one of the links, selects "Copy email address" and then pastes it in the To: field or wherever (even in a document), in which case the result would be:
Name%20SURNAME%20%3Caddress#domain.com%3E
instead of
Name SURNAME <address#domain.com>
I've been searching for a solution for hours and already tried rawurlencode(), urlencode() and other possible tricks, with absolutely no effect.
Can some of you please help me?
Here is the PHP code that generates the link:
<?php echo ''.$email.''; ?>
//where $email is a valid email address
//and $name is plain text (usually two words with a space character between)
I believe you're trying to do something that simply cannot be done.
I understand the idea but... it's not a thing.
I found no docs saying that you can put a name and enclose the email address in <>.
https://developer.mozilla.org/.../a#Creating_an_email_link
https://developer.mozilla.org/.../Creating_hyperlinks#E-mail_links
IETF RFC6068
You can of course do:
address#domain.com
I found this : https://stackoverflow.com/a/25854290/3376036.
It seems it's actually not supported but it usually works
I'm making a website where im alowing my users (after that they are loged in) to Add a (car) advertisement!
I have a form where the user can submit his car information.(add-vehicle.php)
Now I want to display each new advertisement in my list-view. (car-list.php)
How can I do this?
Use urlencode /urldecode to pass variables in url's urlencode
I recommand to use urlencode('string')
and then later when get your variable with urldecode('string')
Response to your comment:
if (isset($_GET['merk'],$_GET['car_id'],$_GET['titel']) === true )
{
$merk = urldecode(trim ($_GET['merk']));
$car_id = urldecode(trim($_GET['car_id']));
$titel = urldecode(trim($_GET['titel']));
}
You're changing a space into a hyphen. If it is stored in the database as a space, it will never find it because "This Entry" is different from "This-Entry". As others said, urlencode will work better, but if you still want to replace the space with a hyphen, just make sure that it is done the same in the database as well.
First, nobody in this world will know what you have in your database to tell what's the problem! At least post an example data.
Second, you must be sure of what you have and what you are comparing to.
You are basically asking if a is equal to b and to be fair that's something that you should be able to tell if you're programming!
Third, you should implement a methodology that allows you to quickly test your code, and that's from printing your data to the browser to a fully automated test.
I want only college students to be able to sign up my website, but I couldn't figure out how to control that. I also want .edu.fr, edu.tr or other .edu extensions to be able to join my website not just .edu's. I was thinking about using some reg-ex but I couldn't find any solution. I would be glad if someone can help me?
Shouldn't be that important but I am using PHP with laravel framework.
Most educational institutions have domain names that follow these pattern:
uni.edu
uni.edu.fr
uni.ac.uk
The following regular expression covers all such cases:
/(\.edu(\.[a-z]+)?|\.ac\.[a-z]+)$/
You can add cases to the regex as needed. Check that the email is real by sending an automated email with a confirmation link.
Corresponding PHP:
if (preg_match('/(\.edu(\.[a-zA-Z]+)?|\.ac\.[a-zA-Z]+)$/i', $domain)) {
// allow
}
There's not a great way to do it, but one possible way might be to explode the address using the # symbol:
// Split the email address into 2 values of an array using the # symbol as delimiter.
$emailParts = explode('#', $theEmailAddress);
// If the second part (domain part) contains .edu, period, country code or just .edu, then allow signup.
if (preg_match('/\.edu\.[^.]+$/i', trim($emailParts[1])) || preg_match('/\.edu$/i', trim($emailParts[1]))) {
// Use the above if you are assuming that the country codes can be any number of characters. If you know for sure country codes are 2 chars, use this condition:
// (preg_match('/\.edu\.[^.]{2}$/i', trim($emailParts[1])) || preg_match('/\.edu$/i', trim($emailParts[1])))
// Allow signup
}
Of course, this does NOT guarantee that the domain or the email address is an existing one!
I am trying to validate an email field. I took this regex from somewhere on here for and I used it on another form I made and it works fine. Yet when I use it now its not matching.
All I am trying to do is to check the email and if it is good then log it in the proper field in the db.
For the sake of not pasting a bunch of stuff... I have stripped out the problem lines and going to pseudo code next few lines.
Essentially, vars are these:
$theEmail = $_post email from first page here
$regEx ='#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+#([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si';
and my php is this
//essentially other field validation will go here...for now testing only empty.
if(!empty($theEmail)){
if (preg_match($regEx, $formEmail)) {
//send it through to db.
} else { //error stuff here }
}
essentially, this never comes true. The email never validates no matter what I do and as I said I wrote another more complicated form that validates data just fine
Not sure what is going on.
I would suggest you to use filter_var instead.
if (filter_var($theEmail, FILTER_VALIDATE_EMAIL)) {
//send it through to db.
} else {
//error stuff here
}
/^[a-z0-9.!\#$%&\'*+-=?^_{|}~]+#([0-9.]+|([^\s]+\.+[a-z]{2,6}))$/
I removed the first # and ending #si, and took out the / from the = since it was giving me problems. This generates a match on my e-mail address here:
<?
$theEmail = 'me#davebel.com';
$regEx ='/^[a-z0-9.!\#$%&\'*+-=?^_`{|}~]+#([0-9.]+|([^\s]+\.+[a-z]{2,6}))$/';
print_r(preg_match($regEx, $theEmail));
?>
Though this regex is very complex for something like e-mail validation- I would recommend trying to refine it and fine-tune it before putting it into production.
With email validation there are simple solutions that catch 99 % of all mistakes and complex solutions that might catch a tenth of a percent more, yet be unreadable.
Go the easy route and just check for something like
.+#.+\..+
Yes, it will allow an email address like a#b.c but that's probably a smaller price to pay than a user who cannot register because your 500-character regex has a mistake in it somewhere, rejecting a valid address.
give this a try! hopefully it will resolve your query, although there are infinte regulare expressions for email
^[a-z0-9,!#\$%&'\*\+/=\?\^_`\{\|}~-]+(\.[a-z0-9,!#\$%&'\*\+/=\?\^_`\{\|}~-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,})$
For testing visit
Regular Expression Tester
I have a been reading up on email obfuscation.
I found an interesting post entitled Best Method for Email Obfuscation? - By Jeff Starr where he describes various tests preformed over 1.5 years by Silvan Mühlemann.
According to this study, css obfustication was 100% effective throughout the 1.5-year test, despite its various downsides.
Seeing as i was playing around with this method of obfustication before, i decided to give it another go, with the addition of a php function that i came accross.
Here is the function:
// Converts email and tel into html special characters
function convert_email_adr($email)
{
$pieces = str_split(trim($email));
$new_mail = '';
foreach ($pieces as $val)
{
$new_mail .= '&#'.ord($val).';';
}
return $new_mail;
}
And here is the php using that function.
$lstEmail = convert_email_adr("{$row['email']}");
This does exactly as described, and i would assume that this would work out quite well, assuming the harvesters have not written code that identifies the string of special chars and decodes them.
So i decided, what if i combined these two methods, as in, i break the string into special chars, then use strrev on it, then use css to reverse the string... Simple...
Here is the added peice of php that reverses the actual string as seen in the page source:
$lstEmail = strrev($lstEmail);
and the css to reverse it again on the client side:
span.obfuscate { unicode-bidi:bidi-override; direction: rtl; }
And the html:
<p><span class='listHeadings'>eMail:</span> <span class='obfuscate' style='font-size:0.6em;'><a href='mailto: $lstEmail?subject=Testing 123'>$lstEmail</a></span></p>
But the problem is that the string is now in reverse and will not be validated... Here is an example:
;901#&;111#&;99#&;64#&;801#&;501#&;79#&;901#&;301#&;46#&;411#&;101#&;001#&;011#&;111#&;611#&;011#&;79#&;811#&;301#&;501#&;79#&;411#&;99#&
What happens is that the special characters are not decoded into actual characters, so all you see is the string of special character in reverse.
There is also the downside as described by Jeff Starr, that you cannot use the css method in mailto as you cannot use the span tag within the href attribute.
So now i am truly stuck at an odds of how to go about this task. I guess i might be able to live with forcing people to input my email address themselves if they would like to mail me... But, on the other hand, i am not so sure about that.
Then there comes the task of validating special characters in reverse...
Would anyone be able to provide me with any type of input or support in this regard? Also any suggestions in different, LEGITIMATE ways of going about this task would be greatly appreciated!!
I say legitimate because i plan to use these functions in one of my live projects that is a business listing website (currently using the php function above)... The last thing i want to do is start playing around and create a gap and let out a bunch of info for the spammers! I think that would be very bad for business...
As webmaster I always put my email in plain text on the contact site. Its the most comfortable solution for the visitors and it works independent if css is supported or js.
I do this with several emails since 10 years .. yes I got some spam but not that much, about 3-5 a day. I've got a good spam filter and watch over the spam once a week and delete it.
I do not use mailto because a lot of people do not have configured a local email-program and do not know what to do with the popup when clicking the mailto-link.
Just reverse it before you obfuscate it...
$email = 'blah#whatever.co.uk';
$new = convert_email_adr($email);
echo '<span style="unicode-bidi:bidi-override; direction: rtl;">'.$new.'</span>';
function convert_email_adr($email, $reverse = true, $obfuscate = true)
{
$email = trim($email);
if($reverse)
{
$email = strrev($email);
}
if($obfuscate)
{
$pieces = str_split($email);
$email = '';
foreach($pieces as $piece)
{
$email .= '&#'.ord($piece).';';
}
}
return $email;
}
Why don't you use it that way?
function convert_email_adr($email)
{
$pieces = str_split(strrev(trim($email)));
$new_mail = '';
foreach ($pieces as $val)
{
$new_mail .= '&#'.ord($val).';';
}
return $new_mail;
}
Generally, a good solution to this is to provide a layer of abstraction around the email address entirely, by which I mean instead of just the email address, providing a contact form. They fill in their info, submit it, and your server sends along the information to the proper email address.
That's not an especially scalable approach, though, generally mostly applicable to a single "contact me" situation, not a "here are our listings of companies to contact" situation, in which case obsfucation is running directly counter to your goal of making sure the customers can contact the targets with as much ease as possible. In that case you generally want to go with good spam protection.