SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)

    Question Regex help needed.

    Um, ok. I need a regex that will do the following. I'm sorry but I have never been able to figure regex out in all the time I've been programming.

    1) Ensure that a variable contains only lowercase letters, uppercase latters, numbers.

    2) All other characters, including spaces, are stripped.

  2. #2
    simple tester McGruff's Avatar
    Join Date
    Sep 2003
    Location
    Glasgow
    Posts
    1,690
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try these tutorials:

    http://www.evolt.org/article/rating/20/22700/index.html
    http://www.regular-expressions.info/tutorial.html

    And this very useful tool:

    http://www.weitz.de/regex-coach/

    [^a-zA-Z0-9]+ will match all the non letter/number chars - preg_replace with an empty string.

  3. #3
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    Thanks. This is what I got out of it.

    return ereg_replace('[^A-Za-z0-9]', '', $_GET[$name]);

    May I ask a general question? What characters would one look for to avoid sql injection? Thanks in advance.

  4. #4
    simple tester McGruff's Avatar
    Join Date
    Sep 2003
    Location
    Glasgow
    Posts
    1,690
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've no idea if that works the same with ereg/POSIX - I always use PCRE (preg_match, preg_replace etc). Allegedly, they're faster although probably unlikely to be anything significant.

    For SQL injection, always (1) quote and (2) escape strings. Run expected integers through intval() to make sure they really are integers.

  5. #5
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    Thanks. My statement worked just fine and I will run some tests, but I think that the mysqli binding functions take int casting into account already, do they not?

    $stmt->bind_param('is', $id, $description);

    i = integer
    s = string


    I will test this later myself, but if you have a quick answer...

  6. #6
    simple tester McGruff's Avatar
    Join Date
    Sep 2003
    Location
    Glasgow
    Posts
    1,690
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Haven't used php5 or mysqli - couldn't say.

  7. #7
    Resident OCD goofball! bronze trophy Serenarules's Avatar
    Join Date
    Dec 2002
    Posts
    1,911
    Mentioned
    26 Post(s)
    Tagged
    0 Thread(s)
    That's ok. I'll figure it out with a few simple tests. Thanks again McGruff!

  8. #8
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Serenarules
    Thanks. This is what I got out of it.

    return ereg_replace('[^A-Za-z0-9]', '', $_GET[$name]);

    May I ask a general question? What characters would one look for to avoid sql injection? Thanks in advance.
    Mysql: use mysql_escape_string();
    Other DBMS: usually str_replace("'","''") ; will do 95% of the trick. Other things really vary by DB platform.

  9. #9
    SitePoint Enthusiast charlieC's Avatar
    Join Date
    Jul 2004
    Location
    Kingdom of Sweden
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's an alternative to Regex Coach:
    Regulator
    http://regex.osherove.com/

    Although I normally use Regex Coach, I've only heard positive comments on Regulator.
    Monkey see. Monkey do.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •