Solved

Preg_match whole form

Posted on 2006-07-18
3
383 Views
Last Modified: 2013-12-13
I wrote the scirpt below to validate just the password
Just to be sure users don't use these characters  ? < > " ; { } [ ]  ( )^ & 

but I would like to do it to the whole <form> instead of individual textbox/ field

I like to allow user the put any character but seem like too hard to do it if any body had any idea how to  allow user to enter any character without mess up the server, please show me how.
Seem like the htmlentities might do it but it's converting to a different character, I don't understand much about htmlentities yet.  

Please make it simple a little bit.

Thanks in advance!


<?php
//Prevent hacking
//don't want to user the crack around
// preg_match example can be found at http://us3.php.net/preg_match
//If user enter the double qoute and the question mark or combination of those then script will mess up


if (preg_match("/^[ ? < >\"\;\{\}\[\]\(\)^& ]$/",$_POST['password'])) {

?>
You can't use these special character ? < > " ; { } [ ]  ( )^ &

<?
}
else { echo "not special character found";}

?>
0
Comment
Question by:thebigbraindm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 200 total points
ID: 17136565
Why not turn this around completely. Only allow them to include specific characters.

if (preg_match('/^(?=.*[a-z].*)(?=.*[A-Z].*)(?=.*[0-9].*)[a-zA-Z0-9]{8,12}$/', $_POST['password']) === 1)
 {
 // Password contains only upper A-Z, lower a-z and digits 0-9.
 // Password was between 8 and 12 characters long.
 // Password contains at least 1 upper, 1 lower and 1 digit.
 }
else
 {
 // Password failed rules.
 }


Now, it makes NO difference what is entered, the rules are the rules.

The problem with programming exceptions is that you cannot realistically know all the exceptions.

But by coding to only accept KNOWN values your code is a LOT more secure.


You cannot apply the same logic to all form fields as the values are normally of different type.

I wouldn't want to validate a number which had to be a year from 2000 to 2099 with the same regular expression.


You might want to get the php|Architect article about Poka-Yoke. This article discusses replacing the super global variables with objects.

So, instead of ...

if (isset($_POST['password']) && preg_match(...))
 { ... }

You would ...

if (False === ($s_password = $_POST->getAsPassword('password')))
 {
 // Password failed.
 }

The Poka-Yoke class replaces $_GET, $_POST, $_COOKIE, $_ENV with objects that inhibit you from accessing the elements directly. You HAVE to use a method which incorporates the validation.

So, a form validator now requires an array of form fields and an array of apporpriate validation methods.

If the whole lot passes, you win, if any one fails, reject the lot and represent the form with the appropriate error messages.

This class is COMPLETELY reusable for ALL forms that you use. You entire form validation process is very secure and you only had to write it once!


php|Architect http://phparch.com/issue.php?mid=74 and discussion http://www.phparch.com/discuss/index.php/f/284/f9c32ef1420c48362b202a172976eff2/


0
 

Author Comment

by:thebigbraindm
ID: 17141176
I though the might be something like
if (preg_match <form>

well I guess php is not capable with checking the whole form then.

Thank you

0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 17144843
Form doesn't exist.

When you fill in a form, the individual fields are sent to PHP and become elements of an array in $_POST or $_GET. Each one is effectively a separate variable.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question