frontpor
asked on
Form validation using RE
hello,
I want to validate a php form using Regular expression. I want to restrict users to not enter any html tags and prevent from sql injection.. if you think there can be more security implemented use RE then please write that as well.
Thanks
I want to validate a php form using Regular expression. I want to restrict users to not enter any html tags and prevent from sql injection.. if you think there can be more security implemented use RE then please write that as well.
Thanks
Like i_m_aamir says, but use mysql_real_escap_string() instead now, because it replaces the now-deprecated mysql_escape_string.
The PHP user manual recommends that you create SQL query strings using sprintf() and mysql_real_escape_string() , for instance:
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($ user),
mysql_real_escape_string($ password)) ;
That's a very tidy way of escaping PHP variables for use in SQL queries.
The PHP user manual recommends that you create SQL query strings using sprintf() and mysql_real_escape_string()
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($
mysql_real_escape_string($
That's a very tidy way of escaping PHP variables for use in SQL queries.
ASKER
I need regular expression.. to check this and display error..
To check what? A regular expression can only be crafted to suit a particular need. There's no such thing as a one-size-fits-all regex.
What data is it you're trying to validate?
What data is it you're trying to validate?
Hey,
these regexes
preg_match_all("/(<([\w]+) [^>\/]*>)( .*)(<\/\\2 >)/U", $html, $matches, PREG_SET_ORDER);
preg_match_all("/(<([\w]+) [^>]*\/>)/ U", $html2, $matches2, PREG_SET_ORDER);
match all (html) tags (ungreedy).
As for preventing sql injections, I'd just use mysql_real_escape_string() ; as mentioned above because using REs for such a general issue is hardly possible.
Lukas
these regexes
preg_match_all("/(<([\w]+)
preg_match_all("/(<([\w]+)
match all (html) tags (ungreedy).
As for preventing sql injections, I'd just use mysql_real_escape_string()
Lukas
The best way to remove HTML from user input is to use PHP's strip_tags() function.
http://www.php.net/manual/en/function.strip-tags.php
(Sorry, I didn't see your statement that you wanted to strip out HTML from user input. I'm not good at spotting things that aren't bullet points.)
http://www.php.net/manual/en/function.strip-tags.php
(Sorry, I didn't see your statement that you wanted to strip out HTML from user input. I'm not good at spotting things that aren't bullet points.)
ASKER
hello,
thanks for the reply, i am using this RE in contact form.. mostly spammer enter this url like this http://url.com, http://www.url.com/ or url.com so all i want to prevent them from entering links.. is there anyway to do this?
thanks for the reply, i am using this RE in contact form.. mostly spammer enter this url like this http://url.com, http://www.url.com/ or url.com so all i want to prevent them from entering links.. is there anyway to do this?
Well, if it's automated attacks you're trying to avoid, do some searching for a mechanism called a CAPTCHA system.
The CAPTCHA system forces the visitor to perform a task that computers find difficult, such as read numbers from a colourful graphic. Many big websites use a CAPTCHA system to avoid robots submitting rubbish to their feedback forms.
The CAPTCHA system forces the visitor to perform a task that computers find difficult, such as read numbers from a colourful graphic. Many big websites use a CAPTCHA system to avoid robots submitting rubbish to their feedback forms.
ASKER
i have already captcha.. but still get spam.. need RE for that
ASKER
i think i found solution here..
https://www.experts-exchange.com/questions/20321606/Website-Regular-Expression.html
https://www.experts-exchange.com/questions/20321606/Website-Regular-Expression.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
strip_tags() removes any PHP or HTML tags from a string. This prevents the HTML display problems, the JavaScript execution (the <script> tag will no longer be present) and a variety of problems where there is a chance that PHP code could be executed.
mysql_escape_string() // for sql injection upto some extent.