need help with syntax php username need help

[Minimeallolla]

if($_POST['username'] != preg_replace(“/[^a-zA-Z0-9\s]/”, “”, $_POST['username'])) {
// bad name
}else{
// good name
}

 

Parse error: syntax error, unexpected '['

its referring to this

[^a-zA-Z0-9\s]

 

how can i make it work?

[.josh]

it's referring to the magic quotes you have in your syntax.  replace them with " or '

[Minimeallolla]

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING

can you replace it for me lol i dont know which ones

[.josh]

umm....no.

 

 

If you can't understand the concept of replacing magic quotes with real quotes, then maybe you should pick up another hobby.

 

 

[Minimeallolla]

” they are magic quotes but which ones

[.josh]

all of them. php doesn't recognize those. It recognizes ' or "

[Minimeallolla]

i replaced them all with " and thats what i got \=

[.josh]

repost your code

[Minimeallolla]

if($_POST['username'] != preg_replace("/[^a-zA-Z0-9\s]/", "", $_POST['username'])) {

[.josh]

okay well that problem is fixed, your current error is somewhere else.

[Minimeallolla]

well it saysa Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING on that line sol \= could you help me find it?

[.josh]

syntax errors like that are not usually on the actual line reported. They are on the first line where things start to go wrong.  Look for quotes you forgot to close somewhere above that line.

[Minimeallolla]

hmm ok i changedc it to ' instead of " and i registered under -=][\[';/. or something along those lines and it came up with You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near './.'' at line 1 hmm i wanted to make it say username invalid, instead of that.. =\

[premiso]

Sometimes the error says a line, but it could be the surrounding. Post 5 lines before that line and 5 after to give us a better idea of what is going on.

 

As an alternative test, you can assign the preg_replace section to its own variable and test it that way and if the error is still thrown on the line the preg is on, then yea. Something is up. However, it does not seem that it is there, given I did ran this code locally and it went through just fine and echo'd bad.

 

$username = 'test_';
if ($username != preg_replace("/[^a-zA-Z0-9\s]/", "", $username)) echo 'bad';

 

What would be a better idea, is post the username you are testing plus the 5 lines before and after the offending line.

[Minimeallolla]

well i edited it abit

if($_POST['username'] != preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['username'])) {
	die('Invalid characters <a href="register.php">Please try again.');
	}else{
	echo "Username valid.";
	}

[.josh]

hmm ok i changedc it to ' instead of " and i registered under -=][\[';/. or something along those lines and it came up with You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near './.'' at line 1 hmm i wanted to make it say username invalid, instead of that.. =\

 

This has nothing to do with the code you posted.  Are you even reading the error? You need to put more effort into this.  That error is telling you that there is an error in a sql query you are trying to perform. Do you see ANYTHING in the code you posted here that has ANYTHING to do with performing a database query?

[Minimeallolla]

yes, thats what im trying to block out. im trying to maximise sql injection protection.

 

i want the username "');DROP TABLE users" to come up as invalid characters so the hacker feels defeated lol

[.josh]

Do you want some help or not?

[Minimeallolla]

yes.. i was just telling you what i wanted the code to do?

[.josh]

And I told you that error has nothing to do with the code you posted. I told you it has to do with a database query you are attempting to perform.  But instead of posting relevant code, you just tell me what you want to do.  Do you expect me to bust out with a crystal ball and divine what your code is?  Use some common sense.

[Minimeallolla]

didnt i say i solved the error but doing ' instead of " sorry if i didnt but i thought i did \=

[.josh]

yes, you solved one error, but you said you are having another error now, a sql error.  Did you not want help solving that?

[Minimeallolla]

hmm it was an error because i entered a sql code as a registered name. i want to block the sql codes and make it come up with invalid characters instead of a sql error.

[Username:]

well i edited it abit

if($_POST['username'] != preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['username'])) {
	die('Invalid characters <a href="register.php">Please try again.');
	}else{
	echo "Username valid.";
	}

 

Why would you put a die?

If it replaces then they no longer exist.

 

Wouldn't it be something like

 

<?php
$replace = $_POST['username'] != preg_replace('/[^a-zA-Z0-9\s]/', '', $_POST['username'];
if($replace == true){
die("Invalid characters in name!");
} else {
dostuffhere
}
?>

 

 

Try this:

 

$string = $_POST['username'];

function wordsExist(&$string, $words) {
    foreach($words as &$word) {
        if(stripos($string, $word) !== false) {
            return true;
        }
    }
    return false;
}   //this function was written by someone else from PHPFreaks - Sorry if this is your code

if (wordsExist($string, array('character1','character2','character3','character4','character5',))) {
    die("Your username contains a blocked character!");
}