Regular Expressions Help

[ATLien]

Ok, I have tryed for years to figure out how reg expressions work, but I can't figure them out. Can I ask someone here who knows how to right them for PHP to please right me one.

I need it to list all letters, all numbers, underscore, period, dash, (, ), !, ?, and a comma. I pretty much want to check to make sure members are not inputting html or code that could be used for hacking.

Thank, if there is a better way to do this let me know.

[themole]

You can use strip_tags() to remove tags. I've heard there's some bugs with that so I also use,

$string = str_replace('<', '&lt;', $string);

This will remove any of your non-desired characters:

$string = preg_replace("/[^a-zA-Z0-9._ \(\)!?,]/", "", $string);

-the mole

[digiweb]

Quote:

list all letters, all numbers, underscore, period, dash, (, ), !, ?, and a comma. I pretty much want to check to make sure members are not inputting html or code that could be used for hacking.

I believe in a white list philosophy of input cleansing. A black list would try to know every possible character that could be input and exclude it. That's hard and not extensible. A white list says, this is it, the defined set, go no further.

If these are the characters:
a-zA-Z0-9_.-()!?,
then there's nothing I can see that would allow hacking.

The two hacking issues to worry about are cross site scripting and sql injection. Cross site scripting requires you to fool the processor into thinking it's getting javascript. You could do that with

PHP Code:

<javascript> 


or the ascii equivalents or the html entity equivalents -- all of these are excluded from your white list.

The sql injection requires you fool the input into looking like a valid sql statement. I could be totally off on this one so don't bet the farm, but I've never seen that done without allowing the semi-colon, which you're not allowing.


For syntax go with those better than me at regex in php. ;-)

[Izzmo]

What you could do, instead of thinking what characters to block, are characters that are allowed. Only set certain characters to be processed, and then you probably won't have problems with the things you talk about above. Of course, there are always ways around this kinda stuff on the Internet, but it's a start.

[themole]

I was at work when I posted earlier (uh-oh!) so I'll clarify things a little bit more now.


It sounds like you just want to remove any javascript or html tags from a user's input. I use the following:

$user_input = strip_tags($user_input); //removes html and javascript tags
$user_input = str_replace('<', '&lt;', $user_input); //replaces < with the ascii version

As I said before, I've heard there's some bugs in strip_tags so I run that str_replace just in case. I haven't had any problems with it.

The following will remove anything but letters, numbers, underscores, periods dashs, (, ), !, ?, spaces and a commas:

$user_input = preg_replace("/[^a-zA-Z0-9._ \(\)!?,]/", "", $user_input);

For example:

Code:

$string = 'This is just @ <test> (of) the sytem!! does, this work @ this time & can I break it * ??';

echo "Before: $string <p>";

$string = preg_replace("/[^a-zA-Z0-9._ \(\)!?,]/", "", $string);

echo "After: $string";

The above will output:

Quote:

Before: This is just @ (of) the sytem!! does, this work @ this time & can I break it * ??

After: This is just test (of) the sytem!! does, this work this time can I break it ??

-the mole

[ATLien]

Thanks you all for the input. I think I am going to go with the only allowing those characters I listed above, that will rule out html, javascript, and ascii translations of characters. Thanks for the help. I will keep reading this thread if you have any more comments.