php: My regex can't validate simple phrases?

StackOverflow https://stackoverflow.com/questions/13736109

  •  05-12-2021
  •  | 
  •  

Question

So I wrote this function:

function validate_text($text,$min,$max,$include_spaces=true)
{
    $match = array();
    $regex = ($include_spaces)?"/[a-zA-Z0-9 .\-_]":"/[a-zA-Z0-9.\-_]";
    if($max<=0)
    {
        $regex = sprintf($regex."{%d,}/",$min);
    }
    else
    {
        $regex = sprintf($regex."{%d,%d}/",$min,$max);
    }
    if($include_spaces)
    {
        preg_match($regex,$text,$match);
    }
    else
    {
        preg_match($regex,$text,$match);
    }
    return (implode($match)==$text);
}

and use it as such:

  (validate_text($_POST['prod_name'],10,100,true)

and I can't get it to validate the simple title "painting by cbkirby" I just need it to make sure no wacky characters that wouldn't otherwise show up in a product title (like simecolons or quotes '",etc) won't make it into the mysql. What am I doing wrong?

Était-ce utile?

La solution

I'm not sure why you do all this, when you could just say "if this pattern matches" and anchor the pattern at both ends. preg_match already tells you whether the pattern matched; all you have to do is tell it to try and match the whole string. :)

function validate_text($text,$min,$max,$include_spaces=true)
{
    $chars = ($include_spaces) ? "[a-zA-Z0-9 .\-_]" : "[a-zA-Z0-9.\-_]";
    if ($max <= 0) $max = '';
    $regex = "/^{$chars}{{$min},{$max}}$/";
    return !!preg_match($regex, $text);
}

As for your original function, though, long-winded though it might be, it seems to work. You might want to var_dump($_POST['prod_name']) to make sure it's what you think it is. (Keep in mind if prod_name is in the query string, you're going to find it in $_GET rather than $_POST.)

Now...as for the goal...

If you're doing this to keep "bad" chars out of the SQL, that's a bit misguided. It's entirely conceivable for a name to have an apostrophe in it, for example. I've seldom been more annoyed at a site than when i take the time to enter a bunch of data and i get some "sorry, your data is invalid" message even though it's correct. :P "This common and perfectly legitimate character is invalid" sounds to me like "our site's not handling data properly".

Personally, unless i have a good business reason to limit the data, i don't. Keeping the SQL clean is not a business reason, as it's not at all difficult to keep things safe...

$db = new mysqli('localhost', 'dbusername', 'dbpassword', 'dbname');
$stmt = $db->prepare("
    INSERT INTO products (prod_title, other_stuff)
    VALUES (?, ?)
");
$stmt->bind_param('ss', $_POST['prod_title'], $_POST['other_stuff']);
$stmt->execute();

At this point, i really don't even have to care what prod_title and other_stuff contain. When you use placeholders and bind params this way, mysqli keeps the SQL and data separate, so it's impossible* to break stuff. Whatever's in there will make it into the database just fine. You can do pretty much the same thing for updates and deletes, and just slightly different for select queries.

* In some very obscure circumstances, it's possible to break. But you basically have to have a perfect storm of really bad circumstances, including ancient versions of MySQL and character sets no one outside of China uses.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top