In article <20030105032650.16087.h011.c009.wmmail.canada.com.criticalpath.net> you write:
[ snip ]
>SOLUTION :
>==========
[ snip ]
> if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$",
>$email) && $email !=
>"") {

Please note that there are many more characters valid in the LHS of an
email address, for example +, that are often desirable. Disallowing
such addresses is a major nuisance. A beautiful example is the useful
feature in sendmail that allows user+whateverdom.ain, which allows
users to invent infinite variations on their email address for tracking
spam database propagation.

In this particular application, the error is more widespread than the
fix you cite -- if you're going to allow random users to control file
names on your system, you certainly shouldn't put the contents somewhere
that a web server can directly find it.

That bit of software seems to need a major review.

-- 
Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve  Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]