Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Form validation using RE

Posted on 2006-11-09
12
260 Views
Last Modified: 2008-03-06
hello,
      I want to validate a php form using Regular expression. I want to restrict users to not enter any html tags and prevent from sql injection.. if you think there can be more security implemented use RE then please write that as well.

Thanks
0
Comment
Question by:frontpor
12 Comments
 
LVL 14

Expert Comment

by:Aamir Saeed
ID: 17909039
If you wish to detect each and every possible SQL Injection attack, then you simply need to watch out for any occurrence of SQL meta-characters such as the single-quote, semi-colon or double-dash. Similarly, a paranoid way of checking for CSS attacks would be to simply watch out for the angled brackets that signify an HTML tag. But these signatures may result in a high number of false positives. To avoid this, the signatures can be modified to be made accurate, yet still not yield too many false positives

strip_tags() removes any PHP or HTML tags from a string. This prevents the HTML display problems, the JavaScript execution (the <script> tag will no longer be present) and a variety of problems where there is a chance that PHP code could be executed.

mysql_escape_string() // for sql injection upto some extent.
0
 
LVL 16

Expert Comment

by:HackneyCab
ID: 17910944
Like i_m_aamir says, but use mysql_real_escap_string() instead now, because it replaces the now-deprecated mysql_escape_string.

The PHP user manual recommends that you create SQL query strings using sprintf() and mysql_real_escape_string(), for instance:

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
           mysql_real_escape_string($user),
           mysql_real_escape_string($password));

That's a very tidy way of escaping PHP variables for use in SQL queries.
0
 

Author Comment

by:frontpor
ID: 17912260
I need regular expression.. to check this and display error..
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 16

Expert Comment

by:HackneyCab
ID: 17913970
To check what? A regular expression can only be crafted to suit a particular need. There's no such thing as a one-size-fits-all regex.

What data is it you're trying to validate?
0
 
LVL 9

Expert Comment

by:lucki_luke
ID: 17915863
Hey,

these regexes
preg_match_all("/(<([\w]+)[^>\/]*>)(.*)(<\/\\2>)/U", $html, $matches, PREG_SET_ORDER);
preg_match_all("/(<([\w]+)[^>]*\/>)/U", $html2, $matches2, PREG_SET_ORDER);
match all (html) tags (ungreedy).
As for preventing sql injections, I'd just use mysql_real_escape_string(); as mentioned above because using REs for such a general issue is hardly possible.

Lukas
0
 
LVL 16

Expert Comment

by:HackneyCab
ID: 17919019
The best way to remove HTML from user input is to use PHP's strip_tags() function.

http://www.php.net/manual/en/function.strip-tags.php

(Sorry, I didn't see your statement that you wanted to strip out HTML from user input. I'm not good at spotting things that aren't bullet points.)
0
 

Author Comment

by:frontpor
ID: 17924741
hello,
      thanks for the reply, i am using this RE in contact form.. mostly spammer enter this url like this http://url.com, http://www.url.com/ or url.com so all i want to prevent them from entering links.. is  there anyway to do this?
0
 
LVL 16

Expert Comment

by:HackneyCab
ID: 17925088
Well, if it's automated attacks you're trying to avoid, do some searching for a mechanism called a CAPTCHA system.

The CAPTCHA system forces the visitor to perform a task that computers find difficult, such as read numbers from a colourful graphic. Many big websites use a CAPTCHA system to avoid robots submitting rubbish to their feedback forms.
0
 

Author Comment

by:frontpor
ID: 17925164
i have already captcha.. but still get spam.. need RE for that
0
 

Author Comment

by:frontpor
ID: 17925400
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18212393
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wordpress French and English Site 6 77
What's wrong with this PDO query? 5 27
parse url to form? 7 25
PHP: Best way to scan folders and process files 10 39
Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question