john2020 Posted January 21, 2011 Share Posted January 21, 2011 Folks, I am just trying to learn PHP. For form input validation which is better - Regexp or PHP Filters? Or do they have completely different uses? Where does preg fit in? Thank you! J.S. Quote Link to comment Share on other sites More sharing options...
JakeTheSnake3.0 Posted January 21, 2011 Share Posted January 21, 2011 For ease of use, filters are a no-brainer! Regex would be used for complex verification. Filters are just a way of saying "I only want numbers...or I want to verify that the email address is properly formed". Quote Link to comment Share on other sites More sharing options...
PHPFAN10 Posted January 21, 2011 Share Posted January 21, 2011 Hi, I use a mixture of both. For usernames/passwords i use regex and for email i use php filters basic but does it's job. Example: For usernames i use the following regex: // username regular expression define('USERNAME_REGEX', '/^[a-z][\w\.\*\-\_]{2,14}$/i'); For emails i use PHP filter: filter_var( $email , FILTER_VALIDATE_EMAIL) I use preg_match() and do error checking like this, depending on what i am wanting to do/acheive. if ( !preg_match(constant("USERNAME_REGEX"), $username)) { $error .= "Please enter a username. Use 3 to 15 characters and start with a letter. You may use letters, numbers, hyphen, asterisk, underscores and dot (.) <br />"; } if (!empty( $email) && !filter_var( $email , FILTER_VALIDATE_EMAIL)) { $error .= "Your email address is not valid <br />"; } Quote Link to comment Share on other sites More sharing options...
john2020 Posted January 21, 2011 Author Share Posted January 21, 2011 Thank you, guys! It's good to know that they complement each other. Two things. First, the email filter considers even _@d.c to be a valid email address. Second, there must be some newbie error but I can't get this to work: if ($_POST["Submit"]) { define('USERNAME_REGEX', '/^[a-z][\w\.\*\-\_]{2,14}$/i'); $username = $_POST["username"]; if ( !preg_match(constant("USERNAME_REGEX"), $username)) { $error .= "Please enter a username. Use 3 to 15 characters and start with a letter. You may use letters, numbers, hyphen, asterisk, underscores and dot (.) <br />"; } } Quote Link to comment Share on other sites More sharing options...
john2020 Posted January 21, 2011 Author Share Posted January 21, 2011 I did manage to get the whitelist working to prevent SQL Injection attacks: if ($_POST["Submit"]) { $stringToFilter = $_POST["email"]; echo preg_replace( "/[^a-zA-Z0-9\.\-\_\@]/", "", $stringToFilter ); } Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 21, 2011 Share Posted January 21, 2011 To prevent SQL injection, you'd simply need to validate and escape string type data, and validate and cast numeric data as the correct type. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.