Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 391
  • Last Modified:

Preg_match whole form

I wrote the scirpt below to validate just the password
Just to be sure users don't use these characters  ? < > " ; { } [ ]  ( )^ & 

but I would like to do it to the whole <form> instead of individual textbox/ field

I like to allow user the put any character but seem like too hard to do it if any body had any idea how to  allow user to enter any character without mess up the server, please show me how.
Seem like the htmlentities might do it but it's converting to a different character, I don't understand much about htmlentities yet.  

Please make it simple a little bit.

Thanks in advance!


<?php
//Prevent hacking
//don't want to user the crack around
// preg_match example can be found at http://us3.php.net/preg_match
//If user enter the double qoute and the question mark or combination of those then script will mess up


if (preg_match("/^[ ? < >\"\;\{\}\[\]\(\)^& ]$/",$_POST['password'])) {

?>
You can't use these special character ? < > " ; { } [ ]  ( )^ &

<?
}
else { echo "not special character found";}

?>
0
thebigbraindm
Asked:
thebigbraindm
  • 2
1 Solution
 
Richard QuadlingSenior Software DeverloperCommented:
Why not turn this around completely. Only allow them to include specific characters.

if (preg_match('/^(?=.*[a-z].*)(?=.*[A-Z].*)(?=.*[0-9].*)[a-zA-Z0-9]{8,12}$/', $_POST['password']) === 1)
 {
 // Password contains only upper A-Z, lower a-z and digits 0-9.
 // Password was between 8 and 12 characters long.
 // Password contains at least 1 upper, 1 lower and 1 digit.
 }
else
 {
 // Password failed rules.
 }


Now, it makes NO difference what is entered, the rules are the rules.

The problem with programming exceptions is that you cannot realistically know all the exceptions.

But by coding to only accept KNOWN values your code is a LOT more secure.


You cannot apply the same logic to all form fields as the values are normally of different type.

I wouldn't want to validate a number which had to be a year from 2000 to 2099 with the same regular expression.


You might want to get the php|Architect article about Poka-Yoke. This article discusses replacing the super global variables with objects.

So, instead of ...

if (isset($_POST['password']) && preg_match(...))
 { ... }

You would ...

if (False === ($s_password = $_POST->getAsPassword('password')))
 {
 // Password failed.
 }

The Poka-Yoke class replaces $_GET, $_POST, $_COOKIE, $_ENV with objects that inhibit you from accessing the elements directly. You HAVE to use a method which incorporates the validation.

So, a form validator now requires an array of form fields and an array of apporpriate validation methods.

If the whole lot passes, you win, if any one fails, reject the lot and represent the form with the appropriate error messages.

This class is COMPLETELY reusable for ALL forms that you use. You entire form validation process is very secure and you only had to write it once!


php|Architect http://phparch.com/issue.php?mid=74 and discussion http://www.phparch.com/discuss/index.php/f/284/f9c32ef1420c48362b202a172976eff2/


0
 
thebigbraindmAuthor Commented:
I though the might be something like
if (preg_match <form>

well I guess php is not capable with checking the whole form then.

Thank you

0
 
Richard QuadlingSenior Software DeverloperCommented:
Form doesn't exist.

When you fill in a form, the individual fields are sent to PHP and become elements of an array in $_POST or $_GET. Each one is effectively a separate variable.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now