| ||||||||||||||
Valdiating Forms Using preg_match Posted by Caitlinn (Caitlinn), 24 July 2004 Hiya!I hoping to gain a few tips from the more experienced programmers. I'm trying to do some form validation in php using preg_match. This is what I would like to allow: Any letters from a-z, regardless of case can include the characters . - ' , can include spaces all of the above should be allowed to be in any order throughout the string. I do not want it to include numbers, semi-colons, colons, hash (pound sign), back or forward slashes, brackets (either curly or square), dollar signs, greater than or less than signs, or other characters such as that. I have written: Code:
It must be wrong because I am allowed to enter things like ... O'Sm#ith Smith 1 Smith1 I haven't the foggiest I idea how to correct my problem. I've had a look at some regexp sites to try to debug my syntax, but that this point I'm lost. Can anyone give me some hints? Thanks in advance Posted by John_Moylan (jfp), 24 July 2004 You'll have to excuse the fact that I've done this in Perl, but this is more of a regex query then PHP.Code:
The above works for me. At the start of the regex the ^ means "starts with" then I allow a-zA-Z then literal . - ' and then any space using \s This is all in a character class [...] which tells the regex engine "any character listed within [...]" Then I have a + sign which means 1 or more of the what preceded it, in this case the whole character class Finally the $ means "ends with" Try the regex on its own, Code:
and let me know if you have a problem. Unless Graham gets here first and spots errors in my regex Cheers jfp Posted by admin (Graham Ellis), 24 July 2004 I spot no error in your regular expression, jfp ... but PHP's preg_match function has a strange surrounding syntax that isn't intuitive.Try: if (! preg_match('/^[-a-z.,\'\s]*$/i',$fieldname)) { die "Oops - $fieldname includes a bad character"; } Notes: a) This will ACCEPT a completely empty field (Caitlinn - you didn't specify one way or the other what you wanted it to do in that circumstance. Replace the * by a + to insist on their being at least one character. b) Putting the "-" at the start of the regular expression means that the "-" is taken as a character to be matched - unless you put it at the start or end of the sequence in square brackets, a range is assumed c) The letter "i" after the second slash means "ignore case". Less typing than adding in an A-Z ... unless you come to explain in to someone else like I'm doing here. As jfp explained, the big issue with your original regular expression, Caitlinn, was the lack of ^ and $ - so you were looking for a valid name WITHIN the string rather than to check if the whoe string was a name. The string "Smith1" contained the name Smith, so it was acceptable ... And .... welcome to opentalk Graham Posted by Caitlinn (Caitlinn), 24 July 2004 jfp and Graham,Thanks a bunch for your answers! I've been pulling my hair out with this expression for the last day or so. Quote:
Hey, that's very handy, Graham! I'll keep this in mind for future validation. I like that /i switch too! I've given the changes a try and everything seems to be working as expected, except the apostrophes -- it's kicking them out as an error. I have magic quotes turned on in my php.ini, so the field value appears as Caitlinn\'s rather than Caitlinn's. Is this what is causing the problem? If so, is there away to work around that without turn off magic quotes? I'd like the values to go into the database escaped. BTW, the value of $fieldname is coming from a form using the post method. Then inside the script, I define the value as $fieldname=$_POST['fieldname']; for use in the preg_match statement. You two have been a big help. As you can tell, PHP and I are still rather new friends, and sometimes all the Googling in the world doesn't supply the exact answer you need. Thanks again ... Cait (who's contemplating the next question -- SQL injection hack prevention ) Posted by admin (Graham Ellis), 25 July 2004 on 07/24/04 at 23:24:54, Caitlinn wrote:
Probably the easiest way to do it is to "stripslahes" from the variable within the regular expression check. This will cause the test to be made on a copy of what was truely entered by the user, without the need to write a particularly clever regular expression that allows \ but only before '. Code:
Posted by Caitlinn (Caitlinn), 25 July 2004 Stripslashes! Geez, how simple. What do they say? Can't see the forest for the trees! Thanks again, Graham. This page is a thread posted to the opentalk forum
at www.opentalk.org.uk and
archived here for reference. To jump to the archive index please
follow this link.
|
| |||||||||||||
PH: 01144 1225 708225 • FAX: 01144 1225 793803 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho |