Solved

Preg_match whole form

Posted on 2006-07-18
3
378 Views
Last Modified: 2013-12-13
I wrote the scirpt below to validate just the password
Just to be sure users don't use these characters  ? < > " ; { } [ ]  ( )^ & 

but I would like to do it to the whole <form> instead of individual textbox/ field

I like to allow user the put any character but seem like too hard to do it if any body had any idea how to  allow user to enter any character without mess up the server, please show me how.
Seem like the htmlentities might do it but it's converting to a different character, I don't understand much about htmlentities yet.  

Please make it simple a little bit.

Thanks in advance!


<?php
//Prevent hacking
//don't want to user the crack around
// preg_match example can be found at http://us3.php.net/preg_match
//If user enter the double qoute and the question mark or combination of those then script will mess up


if (preg_match("/^[ ? < >\"\;\{\}\[\]\(\)^& ]$/",$_POST['password'])) {

?>
You can't use these special character ? < > " ; { } [ ]  ( )^ &

<?
}
else { echo "not special character found";}

?>
0
Comment
Question by:thebigbraindm
  • 2
3 Comments
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 200 total points
ID: 17136565
Why not turn this around completely. Only allow them to include specific characters.

if (preg_match('/^(?=.*[a-z].*)(?=.*[A-Z].*)(?=.*[0-9].*)[a-zA-Z0-9]{8,12}$/', $_POST['password']) === 1)
 {
 // Password contains only upper A-Z, lower a-z and digits 0-9.
 // Password was between 8 and 12 characters long.
 // Password contains at least 1 upper, 1 lower and 1 digit.
 }
else
 {
 // Password failed rules.
 }


Now, it makes NO difference what is entered, the rules are the rules.

The problem with programming exceptions is that you cannot realistically know all the exceptions.

But by coding to only accept KNOWN values your code is a LOT more secure.


You cannot apply the same logic to all form fields as the values are normally of different type.

I wouldn't want to validate a number which had to be a year from 2000 to 2099 with the same regular expression.


You might want to get the php|Architect article about Poka-Yoke. This article discusses replacing the super global variables with objects.

So, instead of ...

if (isset($_POST['password']) && preg_match(...))
 { ... }

You would ...

if (False === ($s_password = $_POST->getAsPassword('password')))
 {
 // Password failed.
 }

The Poka-Yoke class replaces $_GET, $_POST, $_COOKIE, $_ENV with objects that inhibit you from accessing the elements directly. You HAVE to use a method which incorporates the validation.

So, a form validator now requires an array of form fields and an array of apporpriate validation methods.

If the whole lot passes, you win, if any one fails, reject the lot and represent the form with the appropriate error messages.

This class is COMPLETELY reusable for ALL forms that you use. You entire form validation process is very secure and you only had to write it once!


php|Architect http://phparch.com/issue.php?mid=74 and discussion http://www.phparch.com/discuss/index.php/f/284/f9c32ef1420c48362b202a172976eff2/


0
 

Author Comment

by:thebigbraindm
ID: 17141176
I though the might be something like
if (preg_match <form>

well I guess php is not capable with checking the whole form then.

Thank you

0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 17144843
Form doesn't exist.

When you fill in a form, the individual fields are sent to PHP and become elements of an array in $_POST or $_GET. Each one is effectively a separate variable.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Logic behind "best rated" calculation 11 31
mysql query for sum() 3 30
Wordpress Pagination 1 30
SQL querys that gives me from one table into another. 2 27
These days socially coordinated efforts have turned into a critical requirement for enterprises.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question