Special Characters and Character Limits

[soycharliente]

Am I correct in thinking that my regex is returning the format error because encoding the input is creating a longer string behind the scenes? I cannot figure out why a string of less than 64 characters is throwing an error. I am using htmlentities() to make sure that the presence of a double quote doesn't break my HTML code. When I check the source code of the submitted form, things like & is converted to & and " to " as I would expect.

<?
$errors = FALSE;
$e_name_e = FALSE; // error name empty
$e_name_f = FALSE; // error name format

if ( isset($_POST['submit']) && !empty($_POST['submit']) && $_POST['submit'] == "Add" )
{
  $link = db();
  $raceName = mysqli_real_escape_string($link, htmlentities(trim($_POST['raceName'])));
  if ( empty($raceName) ) { $e_name_e = TRUE; $errors = TRUE; }
  if ( !preg_match('/^[a-zA-Z0-9 ~!@#$%^&*()+`{}|[\]\\\\:";\'<>?,.\/=_-]{1,64}$/', $raceName) ) { $e_name_f = TRUE; $errors = TRUE; }
  mysqli_close($link);
}
?>
<input type="text" value="<? echo ($errors) ? stripslashes($raceName) : '';?>" class="form-control" id="raceName" name="raceName" placeholder="Name of the race." maxlength="64" aria-labelledby="label_raceName" aria-describedby="help_raceName" />
<? echo ($e_name_f) ? getFormError('help_raceName','Bad form.') : ''; ?>

// In an included file
function getFormError($id, $message, $html='')
{
	$html .= "<span class=\"fa fa-times fa-fw form-control-feedback\" aria-hidden=\"true\"></span>";
	$html .= "<span id=\"{$id}\" class=\"help-block\">{$message}</span>".PHP_EOL;
	return $html;
}

I hate pasting huge blocks of text. Let me know if I trimmed too much and a few more lines would help diagnose.

 

If I am correct, I'm unable to figure out the best way to limit to 64 characters but also handle any special characters. Should I switch the {1,64} to + in the regex and just let the HTML maxlength attribute do all the talking?

 

If I'm not correct, I would appreciate any direction. It's 1am local and I'm unable to move forward on this and need some sleep.

 

I feel like there's a better way to do this altogether. Maybe with some prepared statements to accept input from a form? I will be writing the information to the database eventually. But right now I'm only having problems with the regex.

Edited September 13, 2016 by charlieholder

[Jacques1]

The code doesn't make any sense.

 

So you want to validate the input. But instead of validing the input, you randomly HTML-escape it, then SQL-escape it and finally run the completely garbled data through a regex check. Of course this will fail. Even the regex doesn't make sense to me. Why can I have all kinds of useless special characters, but a simple umlaut isn't allowed?

 

I think most of the code should be rewritten:

• Come up with a sensible naming policy. Either go with strict rules (e. g. only alphanumerical characters, underscores and hyphens), or be liberal (e. g. all printable Unicode characters). You know that there's more than ASCII, right?
• Stop calling random functions. HTML-escaping is strictly for HTML contexts; you use it right before you output data. SQL-escaping is strictly for SQL contexts and actually obsolete; nowadays, we indeed use prepared statements. And what's up with the stripslashes()? The last time that function made sense was somewhere in the late 90s when “Magic Quotes” still existed.
• Always validate the raw, unaltered input. What's the point of validation when you make it fail?
• Avoid writing PHPHTML spaghetti code. Right now, I can barely see the application logic, because there are HTML fragments all over the place.

[soycharliente]

Ok thanks. lol