[simone]

Okay guys ...i've looked at a few ways to validate the informaton from a form, to make sure that certian characters are not included (this is a user script im working on) ..obviously none of the ways worked with my coding, otherwise i wouldnt be here asking, so if anyone could explain a way i could get this to work.

Heres my code at the moment.

PHP Code:

    if($action == "submit") {

$required = explode(",", $_POST['required']);

    $unquery = $db->query("SELECT username FROM $table_users WHERE username='$username'");

    $uncheck = $db->num_rows($unquery);

    $emquery = $db->query("SELECT email FROM $table_users WHERE email='$email'");

    $emcheck = $db->num_rows($emquery); 

    $error = 0;



  foreach($required as $fieldname) {

     if ($_POST[$fieldname] == "") {

        $error++;

     }

  }

           

  if ($error == 0) {

      if (strstr($_POST['email'], "@") and strstr($_POST['email'], ".")) {

      if (!$uncheck) {

      if (!$emcheck){ 

          $regdate   = date("D jS M y");

        $randpw    = $randompw;

$db->query("INSERT INTO $table_users VALUES ('', '$thename', '$username', '$randpw[md5]', '$email', '$regdate')");

        mail("$email", "TFS Account Information", "Blah blah blah");



eval("\$header = \"".template("header")."\";");

echo $header;

?>

        <script>

        function redirect()

        {

        window.location.replace("apply.php?action=Thanks");

        }

        setTimeout("redirect();", 1250);

        </script>

<?

   exit();

   }

      else {

      $errormessage = "<b>The email address you entered is aleady in use, please use a different one.<br /></b>";

      }

    }

   else {

      $errormessage = "<b>The username you entered is aleady in use, please try a different one.<br /></b>";

      }

    }

      else { 

      $errormessage = "<b>The email address you entered does not appear to be valid.<BR></b>";

      }

      } else {

      $errormessage = "<b>All feilds are required, please fill them in!<BR></b>";

   } 

     }

and i want < > | " [ ] \\ & # - ( ) all of them to be excluded from the username, i tried the array and the foreach bizzo, but it didnt work with my coding, unless im just stupid, which is quite possible, also the error needs to be defined as the variable $errormessage ..due to templates. Any help? thanks!

[NeverMind]

use preg_match() to check if the chars you don't want exist or not ..

PHP Code:

if (preg_match('~\<*?\>*?\|*?"*?\[*?\]*?\\*?&*?#*?-*?\(*?\)*?~is', $text)) {

  $errormessage = '<br />You have used an unaccepted char(s) OR WHATEVER! ;P';

} 

if you want to check each char individually, then use multi preg_match() IFs ..

the *? to tell that a char may not be found! so skip it and look for the next one!

if this didn't work try to make all unwanted chars in an array and loop through each element..

PHP Code:

$unwanted = array ('~\<*?~', '~\>*?~', '~\|*?~', '~"*?~', '~\[*?~', '~\[*?~', '~\\*?~', '~#*?~', '~&*?~', '~-*?~', '~\(*?~', '~\)*?~');



for ($i=0 $i<count($unwanted); $i++) {

  if (preg_match($unwanted[$i], $text)) }

    $errormessage = 'Error';

  }

} 

hopefully this will work!

[simone]

hmm, okay the second one gives me a parse error, the first one, it just by passes.

Is there anyway of saying, if the charcters DO NO exist in the username, continue, else show error??

OR too make it even safer, is there a way to say.. IF the username ONLY contains letters, numbers and underscores continue ... else show error?

[NeverMind]

Quote:

hmm, okay the second one gives me a parse error

my bad
the second one should had used strstr() instead of preg_match() because it's much faster since we are only checking each one alone!

Quote:

OR too make it even safer, is there a way to say.. IF the username ONLY contains letters, numbers and underscores continue ... else show error?

if you had just said so from the begining

PHP Code:

if (!preg_match('~[a-zA-Z0-9_]~', $username)) {

  $errormessage = 'You have an invalid char(s) in your username!';

} 

[simone]

oh thankgod saviour at last, i was thinking of that, but i didnt know what i had to write in the preg_match ..i changed your code around a little to suit my shitty code.

PHP Code:

 if (preg_match('~[a-zA-Z0-9_]~', $username)) { 

  *continue with script*

  } 

  else {

   $errormessage = 'You have an invalid char(s) in your username!'; 

 } 

and she works like a charm ..thanks heaps!

[NeverMind]

glad it worked

Quote:

but i didnt know what i had to write in the preg_match

well, most people fear to work with regular expression and I was one of them ..
but now after I learnt them they are so helpful !!
I am not proffisional in them yet, but I am still learning

[simone]

ahh i actually found a flaw ...it lets a username like sim<>ne go through ..so basically what your code is saying is it contains ATLEAST a-z and 0-9 let is pass otherwise show error. I worked out another way however.

PHP Code:

$error = 0;



$search4 = array('<', '>', '|', '"', '[', ']', '\\', '&', '#', '--');

        foreach($search4 as $needle) {

            if(strstr($_POST['username'], $needle)) {

        $error++; 

            }

        }

   if ($error == 0) {

 *continue with script*

} else {

 $errormessage = "Your username contains invalid characters";

} 

So im using the needle in a haystack type thing ..and its now working perfectly ..thanks for your help though!

[blaw]

Hi there,

I guess we (at least me and NeverMind) all don't fancy regex... =)

simone, what about "@", "`", "~" ? Also, even if you got all the special characters on your keyboard, depending on what your PHP/MySQL settings are, foreign chars like "あ" can crawl in.

The following is a reverse of NeverMind's regex pattern (i.e. looking for at least one Non-alphabet, non-numeric, and if found, preg_match() returns true, so reverse it (optional) with ! to make it compatible with your existing code block order):

PHP Code:

<?php



if (!preg_match('~[^a-zA-Z0-9_]~', $username)) {

    // Good.

    echo 'Good.';

}

else {

    // Bad.

    echo 'Bad';

}



?>

My 2 cents.

[simone]

hmmm, basically the username doesnt get used in my php ..only for echo'ing like welcome simone! type thing ..so it wouldnt be dangerous to let a few other characters through ..i think i'll leave it how i have it for now, because usually when i muck around with stuff, i screw things up, lmao ..but thanks anyway, i'll reference that for the future

[cedric]

Well, if you want to enable people to use 'non standard' characters (which are very much standard characters to most human beings, eg ñ,é,à, ... in spanish, french, portugese, ...), you can always use :

if (!eregi("^([^0-9\@\"\'~]{2,})$",$userName)) {
$errormessage = "You have an invalid char(s) in your username!";
} else {
// continue
}

Just type the really unwanted characters (if needed, escaped by \) between the square braquets [], and they'll be rejected when the username is checked.
In the list above, numbers, @, ~, " and ' are rejected for the username. The {2,} means the username should be at least 2 characters long.

Hope this helps !