user2306309
Reputation: 541
MongoDB findOne with regex (security flaw?)
Before i insert the email into the database -> i validate the adress with
if (filter_var($emailAdress, FILTER_VALIDATE_EMAIL))
{
....
}
.. but is this maybe a security flaw?
$userAccObj = $db->user->findOne( array('email' => array('$regex' => '^'.$emailAdress.'$', '$options' => 'i') ));
Schould i do this? or is it not necessary?
$emailAdress= preg_replace("/\@/", '\@', $emailAdress);
$emailAdress= preg_replace("/\-/", '\-', $emailAdress);
$emailAdress= preg_replace("/\./", '\.', $emailAdress);
Upvotes: 2
Views: 342
Answers (1)
Sammaye
Reputation: 43884
if (filter_var($emailAdress, FILTER_VALIDATE_EMAIL))
Is a good way to vlaidate an email address in PHP, however, it does use regexes but so far, those have proven to be the best.
$userAccObj = $db->user->findOne( array('email' => array('$regex' => '^'.$emailAdress.'$', '$options' => 'i') ));
The only real problem with that is the . which is a special character which will effect how the regex works, but do you really need to do a regex here? You have checked it is a full email address as such you just need to check for where that exact email address exists (or better yet make a unique index on the field).
As I such I think you can take out the regex and do an exact match.
Upvotes: 1
Related Questions
- MongoDB reverse regex
- MongoDB $regex query and potential exploits
- mongodb regex doesn't work
- Mongodb regex query
- MongoDB regular expression not working as expected
- MongoDB find with regex behaves differently from Java
- Using Regex in mongodb
- Mongodb regex embedded search
- mongodb database search regex
- mongodb regular expressions matching