limitphp Posted December 5, 2008 Share Posted December 5, 2008 For passwords and names, is it best to only allow a-z, 0-9? And for usernames is it best to only allow a-z, 0-9, and underscores? Also, does it make a difference if you use ereg or preg_match to do it? Right now, all I have is a function that uses mysql_real_escape_string function check_input($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } Thanks Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/ Share on other sites More sharing options...
gevans Posted December 5, 2008 Share Posted December 5, 2008 This should work for you; <?php function check_input($value){ if(get_magic_quotes_gpc()) $value = stripslashes($value); if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE; $value = mysql_real_escape_string($value); return $value; } ?> if(!ereg("^[a-zA-Z0-9_]+$", $value)) return FALSE; //with the udnerscore Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706767 Share on other sites More sharing options...
.josh Posted December 5, 2008 Share Posted December 5, 2008 Facts: - pcre regex (preg, for php) is a lot faster, up to 6x faster. - pcre is perl compatible. Rumors/opinions: - People say that posix regex (ereg, for php) is easier to learn, but it doesn't offer as much as pcre regex. - pcre is safer (I hear it's a lot easier to inject xss into posix regexes, for instance) Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706775 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 This should work for you; <?php function check_input($value){ if(get_magic_quotes_gpc()) $value = stripslashes($value); if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE; $value = mysql_real_escape_string($value); return $value; } ?> When it returns false, what value does it send? On my register page, lets say they put invalid characters in their username. I'll run the username through the check_input() function. Then I'll check to see if the username is taken: $queryRegister = "SELECT username FROM user WHERE username = '$username'"; $result = mysql_query($queryRegister); If its returning false for the username will it mess up that query, or will it just assume it doesn't exist and move on? If it moves on, I'll need to send the user a message saying invalid characters. How do I check for a false value in $username? Like this?: (if $username=="") Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706870 Share on other sites More sharing options...
gevans Posted December 5, 2008 Share Posted December 5, 2008 <?php function check_input($value){ if(get_magic_quotes_gpc()) $value = stripslashes($value); if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE; $value = mysql_real_escape_string($value); return $value; } ?> $checkUsername = checkinput($value); if(!$checkUsername){ kill the script and let the user know that there was a problem with the username format } else { //carry on with script } Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706877 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 if(!$checkUsername) Awesome...thank you. Facts: - pcre regex (preg, for php) is a lot faster, up to 6x faster. - pcre is perl compatible. Rumors/opinions: - People say that posix regex (ereg, for php) is easier to learn, but it doesn't offer as much as pcre regex. - pcre is safer (I hear it's a lot easier to inject xss into posix regexes, for instance) I saw that on the phpmanual website and it sort of made me think I should use the preg_match. But the register page hopefully, won't be hit too many times in one day compared to the main page. Also, after you guys posted how to use the ereg function, it seems extremely easy to use. Although, what is the +$ for in: if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE; Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706885 Share on other sites More sharing options...
gevans Posted December 5, 2008 Share Posted December 5, 2008 if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE; ^ - denotes the start of the pattern to check $ - denotes the end of the pattern + - requires one or more characters Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706891 Share on other sites More sharing options...
premiso Posted December 5, 2008 Share Posted December 5, 2008 A great place to learn/test regex using preg functions can be found below. http://www.perlfect.com/articles/regextutor.shtml It may help you out when trying to create a regex for something. Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706894 Share on other sites More sharing options...
gevans Posted December 5, 2008 Share Posted December 5, 2008 A great place to learn/test regex using preg functions can be found below. http://www.perlfect.com/articles/regextutor.shtml It may help you out when trying to create a regex for something. Never seen that before, that's awsome! Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706901 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 Thanks for all the info guys. Oh as far as design is concerned, username - allow only a-z,A-z,0-9,_ is there anything else that a username should be able to use? like a dash or a period? I understand its personally preference, but will allowing a dash or period mess up anything? names and password - I assume only allows letters and numbers, is there any reason to allow anything else? Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706903 Share on other sites More sharing options...
gevans Posted December 5, 2008 Share Posted December 5, 2008 With names, if they're putting there whole name in you'll want to allow spaces as well. username I'd just use what you have in place, but you can use dashes if you like password i'd stick to a-zA-Z0-9 Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706907 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 to allow spaces would it be: if(!ereg("^[a-zA-Z0-9," "]+$", $value)) return FALSE; Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706950 Share on other sites More sharing options...
gevans Posted December 5, 2008 Share Posted December 5, 2008 if(!ereg("^[a-zA-Z0-9 ]+$", $value)) return FALSE; You don't need quotes or commas in regular expressions Only to escape special characters Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706955 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 Thank you for all the help. Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-706967 Share on other sites More sharing options...
.josh Posted December 5, 2008 Share Posted December 5, 2008 A great place to learn/test regex using preg functions can be found below. http://www.perlfect.com/articles/regextutor.shtml It may help you out when trying to create a regex for something. Reminds me of something similar I made a while back. Not really that great, but oh well. Quote Link to comment https://forums.phpfreaks.com/topic/135658-solved-allow-characters-with-ereg-or-preg_match-for-user-input/#findComment-707204 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.