preg_match problem

[jason360]

Hey guys,

 

I am stuck on this preg_match if statement.   I want to allow ' and " in the variable string but for some reason it keeps reporting invalid characters when I add '  or " to the string.

 

Any help would be appreciated as I have tried tons of combinations after searching google.

 

Thanks!

if(preg_match("/[^a-zA-Z0-9\-\_\,\!\?\.\'\"\ \/]+/i",$_POST['article_title']))
			{
			$err[]='<p class="error" style="color: #ed1c24;">Your Title contains invalid characters!</p>';
			}

[php_bad_boy]

Hi Jason,

 

Try running this code snippet, as you can see the preg_match returns 0 for a string containing both the single and double quotes.

<?php

$my_string = "some ''''' \"\"\" string";

echo ( preg_match("/[^a-zA-Z0-9\-\_\,\!\?\.\'\"\ \/]+/i",$my_string) )
			
?>

Can you have a look at the values of the $_POST['article_title'] variables that are getting passed to the preg_match function?

 

 

 

[jason360]

Hi PHP Bad Boy,

 

I tried the snippet and it echoed 0.

 

Do you think that maybe remove slashes should be used on the $_POST['article_title']?

[php_bad_boy]

Hi Jason,

 

I think you might be right. I'd be tempted to print all the $_POST['article_title'] variables where preg_match is returning true and hopefully you'll spot the problem.

if(preg_match("/[^a-zA-Z0-9\-\_\,\!\?\.\'\"\ \/]+/i",$_POST['article_title']))
{
  $err[]='<p class="error" style="color: #ed1c24;">Your Title contains invalid characters! </p>';
  echo $_POST['article_title'];
}

[hansford]

I am unable to reproduce your error on strings containing " or '.

Let us look at the form code and see if there is something there. 

You wouldn't happen to have magic_quotes on would you?

[jason360]

Hey Guys,

 

Just an update.  I was able to figure the problem out by adding stripslashes() to the POST.

if(preg_match("/[^a-zA-Z0-9\-\_\,\!\?\.\'\"\ \/]+/i",stripslashes($_POST['article_title'])))

[Jacques1]

No, no, no.

 

Have you never wondered why there are strange backslashes in the user input? Wouldn't it make sense to actually fix the problem rather than work around it with nonsense functions like stripslashes()?

 

Random backslashes are not normal. It means there's a fundamental problem with your PHP setup (like Magic Quotes) or your application (like some auto-escaper going berzerk). I strongly recommend that you take care of this. Otherwise you'll run into the same problem over and over again. You may also get into serious trouble: The backslashes are supposed to be a security feature. If you remove them at will, then you might end up with no security at all.