Jump to content

Apostrophe Character Difficulties


hobbiton73

Recommended Posts

Hi, I wonder whether someone may be able to help me please.

 

I'm using the regex expression below as part of my form validation.

else if(!preg_match('/^[A-Za-z0-9 .,;-]{5,60}$/', $locationname))
 

As it currently stands the expression works fine, but I'm having great difficulty when tyrying to add the ' (apostrophe).

 

I've been working on this for a couple of days now, escaping the charcater, moving it to different positions within the expression, sadly without any luck.

 

I just wondered whether someone could possibly look at this please and let me know where I'm going wrong and put me out of my misery :-\ .

 

Many thanks and kind regards

 

Chris

Link to comment
Share on other sites

What kind of error do you get when adding it, and what have you attempted when trying to add it?

Without seeing what you've tried, it's quite hard to say exactly what you've done wrong. Especially if there are no error messages listed as well. The code you have posted is correct, as you already know though.

Link to comment
Share on other sites

Hi @Christian F., thank you for taking the time to reply to my post.

 

When a user wants to save a record, there are two validation files which I use. The first is the actual form validation where the relevant jquery success or failure messages are displayed, and for this I use the following regex:

 

"onlyMapmyfinds": {
                    "regex": /^$|^[-A-Za-z0-9 .,;']+$/,
                    "alertText": "* No special characters allowed"
                },      
 

As you can see this incoporates the apostrophe without any problem.

 

The second file is the PHP script which saves the record to a mySQL database which is where I have the problem.

 

As it currently stand this is the specific line which throws up the error message:

else if(!preg_match('/^[A-Za-z0-9 .,;-]{5,60}$/', $locationname)){ //validate email address - check if is a valid email address
            $status = "error";
            $message = "Invalid Location Name, please try again!";
    }
 

I hope this helps.

 

Many thanks and kind regards

 

Chris

 

 

        
          

Link to comment
Share on other sites

You still didn't post what you've tried to do when adding the apostrophe, only what you have that is working. That means I can only guess at what you did which may very well be completely off base, considering the sheer number of ways things can be done wrong.

Also, when you say "the error message", are you referring to the "invalid location name" message that you wrote, or something else?

 

When it comes to how to turn off magic quotes, searching the net will give you plenty of detailed howtos.

Link to comment
Share on other sites

Hi Christian F. thank you for your continued help with this, and my sincere apologies for not providing you with enough details. Please find below the expressions I've tried:

 

I initially started with the more striaght forward combinations:

 

else if(!preg_match('/^[A-Za-z0-9 \']{5,60}$/', $locationname))

else if(!preg_match('/^[A-Za-z0-9 ']{5,60}$/', $locationname))

 

I then tried the following:

 

else if(!preg_match('/^[A-Za-z0-9 .,;\-\']{5,60}$/', $locationname))

else if(!preg_match('/^[A-Za-z0-9 .,;\'\-]{5,60}$/', $locationname))

else if(!preg_match('/^[-A-Za-z0-9 .,;\']{5,60}$/', $locationname))

else if(!preg_match('/^[-A-Za-z0-9 .,;']{5,60}$/', $locationname))

 

As I said in my earlier posts, these have been unsuccessful and when the validation fails, I receive this error mesage:

 

 $message = "Invalid Location Name, please try again!";

 

I've looked to see if 'Magic_Quotes' are turned on and they are, but am I correct in thinking that this is a fale safe aginst SQL Injection? My apologiezs if my understanding is incorrect.

 

Many thanks and kind regards

 

Chris

Link to comment
Share on other sites

Magic quotes was intended to be a safeguard against SQL injections, it failed miserably and became a source of data corruption instead. It is strongly recommended to turn them off, as soon as possible. Chances are very high that this is what's causing your inability to use find a proper RegExp that validates a string with a single quote. (As the magic_quotes adds a backslash as a part of the content of the string.)

 

The only proper protections against SQL injections is proper escaping of the output, but only just before adding the content to the output string that you're sending to the third party system. Do not overwrite the original values, as that will (most likely) cause the same data corruption problems as magical_quotes.

Prepared Statements is the most recommended method for this, as it utilizes the database engine to do the proper escaping manually.

Edited by Christian F.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.