[SOLVED] Allow Characters with ereg or preg_match for user input?

limitphp · December 5, 2008

For passwords and names, is it best to only allow a-z, 0-9?

And for usernames is it best to only allow a-z, 0-9, and underscores?

Also, does it make a difference if you use ereg or preg_match to do it?

Right now, all I have is a function that uses mysql_real_escape_string

function check_input($value)
{
	// Stripslashes
	if (get_magic_quotes_gpc())
	  {
	  $value = stripslashes($value);
	  }
	  $value = mysql_real_escape_string($value);		  
	return $value;
}

Thanks

gevans · December 5, 2008

This should work for you;

<?php
function check_input($value){
if(get_magic_quotes_gpc()) $value = stripslashes($value);
if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;
$value = mysql_real_escape_string($value);       
return $value;
}
?>

if(!ereg("^[a-zA-Z0-9_]+$", $value)) return FALSE; //with the udnerscore

.josh · December 5, 2008

Facts:

- pcre regex (preg, for php) is a lot faster, up to 6x faster.

- pcre is perl compatible.

Rumors/opinions:

- People say that posix regex (ereg, for php) is easier to learn, but it doesn't offer as much as pcre regex.

- pcre is safer (I hear it's a lot easier to inject xss into posix regexes, for instance)

limitphp · December 5, 2008

This should work for you;

<?php
function check_input($value){
if(get_magic_quotes_gpc()) $value = stripslashes($value);
if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;
$value = mysql_real_escape_string($value);       
return $value;
}
?>

When it returns false, what value does it send?

On my register page, lets say they put invalid characters in their username.

I'll run the username through the check_input() function.

Then I'll check to see if the username is taken:

$queryRegister = "SELECT username FROM user WHERE username = '$username'";
$result = mysql_query($queryRegister);

If its returning false for the username will it mess up that query, or will it just assume it doesn't exist and move on?

If it moves on, I'll need to send the user a message saying invalid characters.

How do I check for a false value in $username?

Like this?:

(if $username=="")

gevans · December 5, 2008

<?php
function check_input($value){
if(get_magic_quotes_gpc()) $value = stripslashes($value);
if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;
$value = mysql_real_escape_string($value);       
return $value;
}
?>

$checkUsername = checkinput($value);
if(!$checkUsername){
  kill the script and let the user know that there was a problem with the username format
} else {
  //carry on with script
}

limitphp · December 5, 2008

if(!$checkUsername)

Awesome...thank you.

Facts:

- pcre regex (preg, for php) is a lot faster, up to 6x faster.

- pcre is perl compatible.

Rumors/opinions:

- People say that posix regex (ereg, for php) is easier to learn, but it doesn't offer as much as pcre regex.

- pcre is safer (I hear it's a lot easier to inject xss into posix regexes, for instance)

I saw that on the phpmanual website and it sort of made me think I should use the preg_match. But the register page hopefully, won't be hit too many times in one day compared to the main page.

Also, after you guys posted how to use the ereg function, it seems extremely easy to use. Although, what is the +$ for in:

if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;

gevans · December 5, 2008

if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;

^ - denotes the start of the pattern to check

$ - denotes the end of the pattern

+ - requires one or more characters

premiso · December 5, 2008

A great place to learn/test regex using preg functions can be found below.

http://www.perlfect.com/articles/regextutor.shtml

It may help you out when trying to create a regex for something.

gevans · December 5, 2008

A great place to learn/test regex using preg functions can be found below.

http://www.perlfect.com/articles/regextutor.shtml

It may help you out when trying to create a regex for something.

Never seen that before, that's awsome!

limitphp · December 5, 2008

Thanks for all the info guys.

Oh as far as design is concerned,

username - allow only a-z,A-z,0-9,_ is there anything else that a username should be able to use? like a dash or a period?

I understand its personally preference, but will allowing a dash or period mess up anything?

names and password - I assume only allows letters and numbers, is there any reason to allow anything else?

gevans · December 5, 2008

With names, if they're putting there whole name in you'll want to allow spaces as well. username I'd just use what you have in place, but you can use dashes if you like

password i'd stick to a-zA-Z0-9

limitphp · December 5, 2008

to allow spaces would it be:

if(!ereg("^[a-zA-Z0-9," "]+$", $value)) return FALSE;

gevans · December 5, 2008

if(!ereg("^[a-zA-Z0-9 ]+$", $value)) return FALSE;

You don't need quotes or commas in regular expressions

Only to escape special characters

limitphp · December 5, 2008

Thank you for all the help.

.josh · December 5, 2008

A great place to learn/test regex using preg functions can be found below.

http://www.perlfect.com/articles/regextutor.shtml

It may help you out when trying to create a regex for something.

Reminds me of something similar I made a while back. Not really that great, but oh well.

Sign In

[SOLVED] Allow Characters with ereg or preg_match for user input?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information