In article <20030105032650.16087.h011.c009.wm@mail.canada.com.criticalpath.net> you write: [ snip ] >SOLUTION : >========== [ snip ] > if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", >$email) && $email != >"") { Please note that there are many more characters valid in the LHS of an email address, for example +, that are often desirable. Disallowing such addresses is a major nuisance. A beautiful example is the useful feature in sendmail that allows user+whatever@dom.ain, which allows users to invent infinite variations on their email address for tracking spam database propagation. In this particular application, the error is more widespread than the fix you cite -- if you're going to allow random users to control file names on your system, you certainly shouldn't put the contents somewhere that a web server can directly find it. That bit of software seems to need a major review. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices...
