[SOLVED] do i have to enter every single character?

[clown[NOR]]

i've made this work so far.. but do I have to enter in ever single "bad" cahracter myself? or is there a range between them?

 

<?php

if (!empty($_POST['textfield'])) {
	$str = $_POST['textfield'];
	if (preg_match("/[<>!#¤%&?]/", $str)) {
		echo "Your text included invalid characters.<br><strong>You typed:</strong> ".$str;
	} else { echo "Your text was nice and clean.<br><strong>You typed:</strong> ".$str; }
}
?>

 

EDIT: all usernames on mysite will have to be a-z / A-Z / 0-9 only... no other characters

[Guest prozente]

if (preg_match('/^[a-zA-Z0-9]+$/', $str)) {
echo 'Your text was nice and clean.<br><strong>You typed:</strong> '.$str;
}else{
echo 'Your text included invalid characters.<br><strong>You typed:</strong> '.htmlentities($str);
}

[clown[NOR]]

thanks man... but i just read somewhere that the $ made the preg less secure... i'll try to look it back up, and i'll post the link...

 

EDIT: http://blog.php-security.org/archives/76-Holes-in-most-preg_match-filters.html

[yzerman]

nope, you can define what is allowed in $str with eregi instead of pregmatch

 

if (eregi ("^[[:alpha:].' -]{2,15}$", stripslashes(trim($_POST['textfield']))))

 

This will allow all letters, a period, the apostrophe, and a space. This means that only those characters are allowed, that it must begin and end with one of these characters, and the string must be at least 2 characters long, but no longer then 15 characters in length. The stripslashes and trim functions are included because extranuous whitespace, and slashes can invalidate the regular expression.

 

And the ^ and the $ only signify the beginning and end of the expression - The \n character cannot be passed because it is a POST field and not a GET field, not to mention we stripped the slashes so only 'n' is sent

[clown[NOR]]

oh... nice... so let me try to break down the script in to small pieces to see if i udnerstood it right...

 

[:alpha:] <- this means all letters

.'- <- this is ofcourse the period, apostrophe and space

{2,15} <- this is the length validation of the string

 

am i right?

[yzerman]

yes

[clown[NOR]]

thanks for the help guys

[Guest prozente]

clown[NOR] you are correct, the more proper way to do it would be with \z

if (preg_match('/^[a-zA-Z0-9]+\z/', $str)) {
      echo 'Your text was nice and clean.<br><strong>You typed:</strong> '.$str;
}else{
      echo 'Your text included invalid characters.<br><strong>You typed:</strong> '.htmlentities($str);
}

 

yzerman you should be careful with how you're validating, correcting input for the user should be done minimally. And I don't particularly think the stripslashes should be done unless you're sure magic quotes is on.

 

The way you have it is you're validating user input, but not re-storing the input that was validated(since you did trim and stripslashes).

 

The user input and the input that was validated can be completely different. And if you are still using the unaltered data this can cause problems.

 

Even with using the altered data this can cause problems as the user may of wanted a slash in their user name and you stripped it and they have no notice, so when they try to login with the slash it doesn't work.

[yzerman]

Even with using the altered data this can cause problems as the user may of wanted a slash in their user name and you stripped it and they have no notice, so when they try to login with the slash it doesn't work.

 

If a user wants a slash in their username - they will be wrong anyway because the field is specifically designed to ONLY allow A-Z, a-z, .'- and a space, and this will be said right next to their username.

 

But you are right, which is why I use addslashes to the string before I submit it to the database, however, I did not add this portion of the code because it didnt help to answer the question.

[Guest prozente]

You should still check if magic quotes is on before even stripping slashes.

 

if a user uses "bobs\not\cool" (without quotes) you will strip slashes and the way you are doing it will validate against "bobsnotcool" which will pass your regex and cause the validation to not work properly.

[clown[NOR]]

Before the registration is done I go trough every single field of the registration code to check for errors.. And if there's any errors found I collect them into an array and the result will be printed out over the registration form.. Cuz there's several stages of my registration..

 

1) Fill out the registration form.

2) Check for errors. In there was found any errors at all. the user get's redirected back to the form, with all errors found written above the form.

3) If no errors was found, the users are redirected to the "confirmation" page. Where all info they wrote is shown. And they have 2 alternatives.. 1) Go back to the form. 2) Confirm the registration

 

so i think my registration is pretty secure now =)