Solved

Preg_match whole form

Posted on 2006-07-18
3
379 Views
Last Modified: 2013-12-13
I wrote the scirpt below to validate just the password
Just to be sure users don't use these characters  ? < > " ; { } [ ]  ( )^ & 

but I would like to do it to the whole <form> instead of individual textbox/ field

I like to allow user the put any character but seem like too hard to do it if any body had any idea how to  allow user to enter any character without mess up the server, please show me how.
Seem like the htmlentities might do it but it's converting to a different character, I don't understand much about htmlentities yet.  

Please make it simple a little bit.

Thanks in advance!


<?php
//Prevent hacking
//don't want to user the crack around
// preg_match example can be found at http://us3.php.net/preg_match
//If user enter the double qoute and the question mark or combination of those then script will mess up


if (preg_match("/^[ ? < >\"\;\{\}\[\]\(\)^& ]$/",$_POST['password'])) {

?>
You can't use these special character ? < > " ; { } [ ]  ( )^ &

<?
}
else { echo "not special character found";}

?>
0
Comment
Question by:thebigbraindm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 200 total points
ID: 17136565
Why not turn this around completely. Only allow them to include specific characters.

if (preg_match('/^(?=.*[a-z].*)(?=.*[A-Z].*)(?=.*[0-9].*)[a-zA-Z0-9]{8,12}$/', $_POST['password']) === 1)
 {
 // Password contains only upper A-Z, lower a-z and digits 0-9.
 // Password was between 8 and 12 characters long.
 // Password contains at least 1 upper, 1 lower and 1 digit.
 }
else
 {
 // Password failed rules.
 }


Now, it makes NO difference what is entered, the rules are the rules.

The problem with programming exceptions is that you cannot realistically know all the exceptions.

But by coding to only accept KNOWN values your code is a LOT more secure.


You cannot apply the same logic to all form fields as the values are normally of different type.

I wouldn't want to validate a number which had to be a year from 2000 to 2099 with the same regular expression.


You might want to get the php|Architect article about Poka-Yoke. This article discusses replacing the super global variables with objects.

So, instead of ...

if (isset($_POST['password']) && preg_match(...))
 { ... }

You would ...

if (False === ($s_password = $_POST->getAsPassword('password')))
 {
 // Password failed.
 }

The Poka-Yoke class replaces $_GET, $_POST, $_COOKIE, $_ENV with objects that inhibit you from accessing the elements directly. You HAVE to use a method which incorporates the validation.

So, a form validator now requires an array of form fields and an array of apporpriate validation methods.

If the whole lot passes, you win, if any one fails, reject the lot and represent the form with the appropriate error messages.

This class is COMPLETELY reusable for ALL forms that you use. You entire form validation process is very secure and you only had to write it once!


php|Architect http://phparch.com/issue.php?mid=74 and discussion http://www.phparch.com/discuss/index.php/f/284/f9c32ef1420c48362b202a172976eff2/


0
 

Author Comment

by:thebigbraindm
ID: 17141176
I though the might be something like
if (preg_match <form>

well I guess php is not capable with checking the whole form then.

Thank you

0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 17144843
Form doesn't exist.

When you fill in a form, the individual fields are sent to PHP and become elements of an array in $_POST or $_GET. Each one is effectively a separate variable.
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question