user2306309
user2306309

Reputation: 541

MongoDB findOne with regex (security flaw?)

Before i insert the email into the database -> i validate the adress with

if (filter_var($emailAdress, FILTER_VALIDATE_EMAIL))
{
....
}

.. but is this maybe a security flaw?

$userAccObj = $db->user->findOne( array('email' => array('$regex' => '^'.$emailAdress.'$', '$options' => 'i') ));

Schould i do this? or is it not necessary?

$emailAdress= preg_replace("/\@/", '\@', $emailAdress);
$emailAdress= preg_replace("/\-/", '\-', $emailAdress);
$emailAdress= preg_replace("/\./", '\.', $emailAdress);

Upvotes: 2

Views: 342

Answers (1)

Sammaye
Sammaye

Reputation: 43884

if (filter_var($emailAdress, FILTER_VALIDATE_EMAIL))

Is a good way to vlaidate an email address in PHP, however, it does use regexes but so far, those have proven to be the best.

$userAccObj = $db->user->findOne( array('email' => array('$regex' => '^'.$emailAdress.'$', '$options' => 'i') ));

The only real problem with that is the . which is a special character which will effect how the regex works, but do you really need to do a regex here? You have checked it is a full email address as such you just need to check for where that exact email address exists (or better yet make a unique index on the field).

As I such I think you can take out the regex and do an exact match.

Upvotes: 1

Related Questions