Improve company productivity with a Business Account.Sign Up

x
?
Solved

Preg_match whole form

Posted on 2006-07-18
3
Medium Priority
?
393 Views
Last Modified: 2013-12-13
I wrote the scirpt below to validate just the password
Just to be sure users don't use these characters  ? < > " ; { } [ ]  ( )^ & 

but I would like to do it to the whole <form> instead of individual textbox/ field

I like to allow user the put any character but seem like too hard to do it if any body had any idea how to  allow user to enter any character without mess up the server, please show me how.
Seem like the htmlentities might do it but it's converting to a different character, I don't understand much about htmlentities yet.  

Please make it simple a little bit.

Thanks in advance!


<?php
//Prevent hacking
//don't want to user the crack around
// preg_match example can be found at http://us3.php.net/preg_match
//If user enter the double qoute and the question mark or combination of those then script will mess up


if (preg_match("/^[ ? < >\"\;\{\}\[\]\(\)^& ]$/",$_POST['password'])) {

?>
You can't use these special character ? < > " ; { } [ ]  ( )^ &

<?
}
else { echo "not special character found";}

?>
0
Comment
Question by:thebigbraindm
  • 2
3 Comments
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 600 total points
ID: 17136565
Why not turn this around completely. Only allow them to include specific characters.

if (preg_match('/^(?=.*[a-z].*)(?=.*[A-Z].*)(?=.*[0-9].*)[a-zA-Z0-9]{8,12}$/', $_POST['password']) === 1)
 {
 // Password contains only upper A-Z, lower a-z and digits 0-9.
 // Password was between 8 and 12 characters long.
 // Password contains at least 1 upper, 1 lower and 1 digit.
 }
else
 {
 // Password failed rules.
 }


Now, it makes NO difference what is entered, the rules are the rules.

The problem with programming exceptions is that you cannot realistically know all the exceptions.

But by coding to only accept KNOWN values your code is a LOT more secure.


You cannot apply the same logic to all form fields as the values are normally of different type.

I wouldn't want to validate a number which had to be a year from 2000 to 2099 with the same regular expression.


You might want to get the php|Architect article about Poka-Yoke. This article discusses replacing the super global variables with objects.

So, instead of ...

if (isset($_POST['password']) && preg_match(...))
 { ... }

You would ...

if (False === ($s_password = $_POST->getAsPassword('password')))
 {
 // Password failed.
 }

The Poka-Yoke class replaces $_GET, $_POST, $_COOKIE, $_ENV with objects that inhibit you from accessing the elements directly. You HAVE to use a method which incorporates the validation.

So, a form validator now requires an array of form fields and an array of apporpriate validation methods.

If the whole lot passes, you win, if any one fails, reject the lot and represent the form with the appropriate error messages.

This class is COMPLETELY reusable for ALL forms that you use. You entire form validation process is very secure and you only had to write it once!


php|Architect http://phparch.com/issue.php?mid=74 and discussion http://www.phparch.com/discuss/index.php/f/284/f9c32ef1420c48362b202a172976eff2/


0
 

Author Comment

by:thebigbraindm
ID: 17141176
I though the might be something like
if (preg_match <form>

well I guess php is not capable with checking the whole form then.

Thank you

0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 17144843
Form doesn't exist.

When you fill in a form, the individual fields are sent to PHP and become elements of an array in $_POST or $_GET. Each one is effectively a separate variable.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question