Jump to content

[SOLVED] Allow Characters with ereg or preg_match for user input?


Recommended Posts

For passwords and names, is it best to only allow a-z, 0-9?

 

And for usernames is it best to only allow a-z, 0-9, and underscores?

 

 

Also, does it make a difference if you use ereg or preg_match to do it?

 

Right now, all I have is a function that uses mysql_real_escape_string

function check_input($value)
{
	// Stripslashes
	if (get_magic_quotes_gpc())
	  {
	  $value = stripslashes($value);
	  }
	  $value = mysql_real_escape_string($value);		  
	return $value;
}

 

Thanks

 

 

 

 

This should work for you;

 

<?php
function check_input($value){
if(get_magic_quotes_gpc()) $value = stripslashes($value);
if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;
$value = mysql_real_escape_string($value);       
return $value;
}
?>

 

 

 

if(!ereg("^[a-zA-Z0-9_]+$", $value)) return FALSE;  //with the udnerscore

Facts:

- pcre regex (preg, for php) is a lot faster, up to 6x faster. 

- pcre is perl compatible.

 

Rumors/opinions:

- People say that posix regex (ereg, for php) is easier to learn, but it doesn't offer as much as pcre regex.

- pcre is safer (I hear it's a lot easier to inject xss into posix regexes, for instance)

This should work for you;

 

<?php
function check_input($value){
if(get_magic_quotes_gpc()) $value = stripslashes($value);
if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;
$value = mysql_real_escape_string($value);       
return $value;
}
?>

 

When it returns false, what value does it send?

On my register page, lets say they put invalid characters in their username.

 

I'll run the username through the check_input() function.

 

Then I'll check to see if the username is taken:

$queryRegister = "SELECT username FROM user WHERE username = '$username'";
$result = mysql_query($queryRegister);

 

If its returning false for the username will it mess up that query, or will it just assume it doesn't exist and move on?

 

If it moves on, I'll need to send the user a message saying invalid characters.

How do I check for a false value in $username?

Like this?:

(if $username=="")

 

 

 

 

 

<?php
function check_input($value){
if(get_magic_quotes_gpc()) $value = stripslashes($value);
if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;
$value = mysql_real_escape_string($value);       
return $value;
}
?>

$checkUsername = checkinput($value);
if(!$checkUsername){
  kill the script and let the user know that there was a problem with the username format
} else {
  //carry on with script
}

 

if(!$checkUsername)

 

 

 

Awesome...thank you.

 

Facts:

- pcre regex (preg, for php) is a lot faster, up to 6x faster.

- pcre is perl compatible.

 

Rumors/opinions:

- People say that posix regex (ereg, for php) is easier to learn, but it doesn't offer as much as pcre regex.

- pcre is safer (I hear it's a lot easier to inject xss into posix regexes, for instance)

 

I saw that on the phpmanual website and it sort of made me think I should use the preg_match.  But the register page hopefully, won't be hit too many times in one day compared to the main page.

Also, after you guys posted how to use the ereg function, it seems extremely easy to use.  Although, what is the +$ for in:

if(!ereg("^[a-zA-Z0-9]+$", $value)) return FALSE;

 

 

A great place to learn/test regex using preg functions can be found below.

 

http://www.perlfect.com/articles/regextutor.shtml

 

It may help you out when trying to create a regex for something.

 

Never seen that before, that's awsome!

Thanks for all the info guys.

 

Oh as far as design is concerned,

 

username - allow only a-z,A-z,0-9,_ is there anything else that a username should be able to use? like a dash or a period?

I understand its personally preference, but will allowing a dash or period mess up anything?

 

names and password - I assume only allows letters and numbers, is there any reason to allow anything else?

 

A great place to learn/test regex using preg functions can be found below.

 

http://www.perlfect.com/articles/regextutor.shtml

 

It may help you out when trying to create a regex for something.

 

Reminds me of something similar I made a while back.  Not really that great, but oh well. 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.