How would I do this in a form...

[phpnoobie9]

If a user enters in certain characters like: *$% I want to do an if with an error statement. IE:

if (user enters these characters *$%){
don't insert data into database and give error message
}
else {
if none of the above characters are in the form. insert data.
}

[cooldude832]

where is the end string going after the user inputs? mysql, flat file, odbc???

[phpnoobie9]

the data is going to mysql

[cooldude832]

look into the mysql_real_escape string on php.net

[phpnoobie9]

look into the mysql_real_escape string on php.net

 

I'm not trying to escape it. I want the form to not submit if those characters are detected.

[cooldude832]

well then use regex

[phpnoobie9]

Thanks. I thought I had to use that.

[roopurt18]

Rather than trying to think of all the characters that are invalid (i.e. a blacklist), it is usually easier to check for only the characters that are valid (i.e. a whitelist).

[phpnoobie9]

Allowed: A-Za-z0-9.!?,"

 

For some reason when I do this:

<javascript>

 

It allows the < and >... but if I just enter one < or > it doesn't allow it.

 

if (!empty($title) && !empty($description)) {
	if (ereg('[A-Za-z0-9.!?,"]',$description)) {
		if (@mysql_query (htmlspecialchars($query))) {
		echo 'Yayayaya';
		}
		else {
		echo 'An error has occured please try again.';
		}
	}
	else {
	echo 'Some of the characters are not allowed.';
	}
}
else {
echo 'You have empty fields.';
}

[phpnoobie9]

my fault accidently pressed quote instead of modify.

[roopurt18]

[A-Za-z0-9.!?,"]

^ That only matches a single character.  Append a + to match one or more characters.

 

[A-Za-z0-9.!?,"]+

^ Matches one or more.  Prefix a caret and append a dollar sign to specify the beginning and end of the string.

 

^[A-Za-z0-9.!?,"]+$

^ Should be closer to what you want.

 

I normally use preg_match() and I'm not sure if it behaves any differently than ereg.  With preg_match() it'd be closer to:

$regexp = '/^[A-Za-z0-9.!?,"]+$/';
if(!preg_match($regexp, $stringToTest)){
  echo 'error';
}

[phpnoobie9]

Thanks alot for the help.

Just curious.. why do you have a / after '?

 

$regexp = '/^[A-Za-z0-9.!?,"]+$/';

[roopurt18]

AFAIK you have to begin and end the regexp with matching chars, in this case I use forward slashes.  I believe the characters you use are arbitrary, for example I think this is just as valid (though I've never tried it):

$regexp = '@^[A-Za-z0-9.!?,"]+$@';

 

I believe whichever char you use needs to be escaped within the regexp though.

 

For example, if I want to match two forward slashes, I can do this:

/\/\//

or I can do this:

@//@

Notice how in the second example I didn't have to escape the forward slashes with a backslash.

 

I'm going from memory here so I could be mistaken.  Someone else might be able to give a better or more concrete answer.