SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Regular Expresson for Address

    I am wrapping up my programming today and would like a Regular Expression for a Billing Address.

    It needs to follow the format below since I don't have time to "learn" Regular Expression before my site goes live tomorrow...

    (Next time around I hope to be more knowledgeable of writing them myself!)

    Code:
        // Validate First Name.
    	if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $first_name)) {
            // Valid First Name.
    		$fn = mysqli_real_escape_string ($dbc, trim($first_name));
        } else {
            // Invalid First Name.
            $errors['first_name'] = 'Please enter a valid First Name.';
        }
    Thanks for the help!!


    Amy

  2. #2
    SitePoint Zealot Servyces's Avatar
    Join Date
    Jun 2007
    Location
    The Netherlands
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, first of all you need to ask yourself: do you really want a regular expression on an address? Addresses are very "variable" and can look like so many things. Especially when you are accepting international addresses. Street names, house numbers and zipcode notations are different all over the world, so I'd say there is no real "good" regex for a billing address line. Best you could do (imo) is to filter some obvious "impossible" characters like special chars (e.g. !@#$%^). Other than that I wouldn't be too strict on user input, since it only cripples the user friendly-ness of your site.
    Servyces.com
    Where itís all about you.
    Your partner in online solutions.
    Visit our website at http://www.servyces.com/

  3. #3
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Servyces View Post
    Well, first of all you need to ask yourself: do you really want a regular expression on an address? Addresses are very "variable" and can look like so many things. Especially when you are accepting international addresses. Street names, house numbers and zipcode notations are different all over the world, so I'd say there is no real "good" regex for a billing address line. Best you could do (imo) is to filter some obvious "impossible" characters like special chars (e.g. !@#$%^). Other than that I wouldn't be too strict on user input, since it only cripples the user friendly-ness of your site.
    That is a very good point, and I guess it was implied by me.

    What I really want is to be sure that somebody doesn't put in special characters that could cause issues in my database.

    What is the best way to protect myself from that standpoint??

    If there is a better way to protect myself than using a Reg Ex I'm open to it!

    The last fields I need checks on are "Address", "City", "Zip" and "Telephone"

    Everything is in the U.S.

    Hope that helps...

    Thanks,


    Amy

  4. #4
    SitePoint Zealot Servyces's Avatar
    Join Date
    Jun 2007
    Location
    The Netherlands
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    That is a very good point, and I guess it was implied by me.

    What I really want is to be sure that somebody doesn't put in special characters that could cause issues in my database.

    What is the best way to protect myself from that standpoint??

    If there is a better way to protect myself than using a Reg Ex I'm open to it!

    The last fields I need checks on are "Address", "City", "Zip" and "Telephone"

    Everything is in the U.S.

    Hope that helps...

    Thanks,


    Amy
    A pretty solid way to protect yourself from any "funny" business going on in your database is by using mysql_real_escape_string (there are similar functions for non-MySQL databases aswell) on your queries before actually executing them. Additionally you can use stuff like str_replace to remove/filter any funny characters.

    Another option (that I mostly use myself) is by using a PDO and calling the prepare function on the query before executing it, although that goes a bit more towards object oriented PHP programming and I'm not sure if you're at that level yet (no offense), but it's something to keep in mind for the future.
    Servyces.com
    Where itís all about you.
    Your partner in online solutions.
    Visit our website at http://www.servyces.com/

  5. #5
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    The last fields I need checks on are "Address", "City", "Zip" and "Telephone"

    Everything is in the U.S.
    What if i just wrap those fields in this code...


    mysqli_real_escape_string($dbc, $x)


    Is that good enough to protect my database for now??


    Amy

  6. #6
    SitePoint Zealot Servyces's Avatar
    Join Date
    Jun 2007
    Location
    The Netherlands
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    What if i just wrap those fields in this code...


    mysqli_real_escape_string($dbc, $x)


    Is that good enough to protect my database for now??


    Amy
    If $x contains the entire (or part of the) query that inserts those fields, then yes. That should just work fine.
    Servyces.com
    Where itís all about you.
    Your partner in online solutions.
    Visit our website at http://www.servyces.com/

  7. #7
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ha ha... our posts passed along the way?!

    Quote Originally Posted by Servyces View Post
    A pretty solid way to protect yourself from any "funny" business going on in your database is by using mysql_real_escape_string (there are similar functions for non-MySQL databases aswell) on your queries before actually executing them. Additionally you can use stuff like str_replace to remove/filter any funny characters.
    So can you please show me what the code needs to look like in my web-form?

    How about something simple like this...
    Code:
    
    	// Clean Remaining Fields.
        $ad1 = mysqli_real_escape_string ($dbc, trim($address1));
        $ad2 = mysqli_real_escape_string ($dbc, trim($address2));
        $city = mysqli_real_escape_string ($dbc, trim($city));
        $zip = mysqli_real_escape_string ($dbc, trim($state));
        $tele = mysqli_real_escape_string ($dbc, trim($telephone));

    Another option (that I use myself) is by using a PDO and calling the prepare function on the query before executing it, although that goes a bit more towards object oriented PHP programming and I'm not sure if you're at that level yet (no offense), but it's something to keep in mind for the future.
    No offense taken. I am definitely not ready for that!! But hopefully someday soon?!



    Amy

  8. #8
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Servyces View Post
    If $x contains the entire (or part of the) query that inserts those fields, then yes. That should just work fine.
    You lost me a bit...

    Here is the code i was using - from my PHP book - up until now...
    Code:
        // Validate First Name.
    	if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $first_name)) {
            // Valid First Name.
    		$fn = mysqli_real_escape_string ($dbc, trim($first_name));
        } else {
            // Invalid First Name.
            $errors['first_name'] = 'Please enter a valid First Name.';
        }
    Code:
          $q1 = "INSERT INTO users (email, pass, first_name, last_name, " .
                "active, created_on) " .
                "VALUES ('$e', SHA1('$p'), '$first_name', '$last_name', " .
                "'$a', NULL )";
    
          // Run query.
          $r1 = mysqli_query ($dbc, $q1)
                  or trigger_error("Query: $q1\n<br />MySQL Error: " . mysqli_error($dbc));
    
    My book doesn't have things like "Address" or "Zip" or "Telephone" in the example, so I just want to be sure...



    Amy

  9. #9
    SitePoint Zealot Servyces's Avatar
    Join Date
    Jun 2007
    Location
    The Netherlands
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    Ha ha... our posts passed along the way?!
    Yeah, it seems that you figured it out just the second I made that post, good work

    Quote Originally Posted by amy.damnit View Post
    So can you please show me what the code needs to look like in my web-form?

    How about something simple like this...
    Code:
    
        // Clean Remaining Fields.
        $ad1 = mysqli_real_escape_string ($dbc, trim($address1));
        $ad2 = mysqli_real_escape_string ($dbc, trim($address2));
        $city = mysqli_real_escape_string ($dbc, trim($city));
        $zip = mysqli_real_escape_string ($dbc, trim($state));
        $tele = mysqli_real_escape_string ($dbc, trim($telephone));
    This should work just fine, it should escape any "malicious" input properly and send a safe string to your database, so there is no risk for SQL injection anywhere.

    Quote Originally Posted by amy.damnit View Post
    No offense taken. I am definitely not ready for that!! But hopefully someday soon?!
    Let's hope so, just don't give up and keep setting new goals for yourself to keep improving your skills.

    Quote Originally Posted by amy.damnit View Post
    You lost me a bit...

    Here is the code i was using - from my PHP book - up until now...
    Code:
        // Validate First Name.
        if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $first_name)) {
            // Valid First Name.
            $fn = mysqli_real_escape_string ($dbc, trim($first_name));
        } else {
            // Invalid First Name.
            $errors['first_name'] = 'Please enter a valid First Name.';
        }
    Code:
          $q1 = "INSERT INTO users (email, pass, first_name, last_name, " .
                "active, created_on) " .
                "VALUES ('$e', SHA1('$p'), '$first_name', '$last_name', " .
                "'$a', NULL )";
    
          // Run query.
          $r1 = mysqli_query ($dbc, $q1)
                  or trigger_error("Query: $q1\n<br />MySQL Error: " . mysqli_error($dbc));
    
    My book doesn't have things like "Address" or "Zip" or "Telephone" in the example, so I just want to be sure...
    If you make sure that the variables you pass into those queries ($e, $p, $first_name, $last_name and $a) are escaped first, you should be just fine. Should look something like this:

    PHP Code:
    // Escape the variables
    $e mysqli_real_escape_string($dbc$e);
    $p mysqli_real_escape_string($dbc$p);
    $first_name mysqli_real_escape_string($dbc$first_name);
    $last_name mysqli_real_escape_string($dbc$last_name);
    $a mysqli_real_escape_string($dbc$a);

    // Construct the query with escaped strings
    $q1 "INSERT INTO users (email, pass, first_name, last_name, " .
                
    "active, created_on) " .
                
    "VALUES ('$e', SHA1('$p'), '$first_name', '$last_name', " .
                
    "'$a', NULL )";

          
    // Run query.
          
    $r1 mysqli_query ($dbc$q1)
                  or 
    trigger_error("Query: $q1\n<br />MySQL Error: " mysqli_error($dbc)); 
    Servyces.com
    Where itís all about you.
    Your partner in online solutions.
    Visit our website at http://www.servyces.com/

  10. #10
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So it looks like I was doing it the right way.

    Is there any easy way to check the length of each field?

    I'm not sure if I can control that in my HTML form or if I need to handle it in PHP.

    I don't want someone trying to put a 100 character address in a 40 character field.

    Thanks,


    Amy

  11. #11
    SitePoint Zealot Servyces's Avatar
    Join Date
    Jun 2007
    Location
    The Netherlands
    Posts
    112
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    So it looks like I was doing it the right way.
    Yeah, you were thinking in the right direction.

    Quote Originally Posted by amy.damnit View Post
    Is there any easy way to check the length of each field?

    I'm not sure if I can control that in my HTML form or if I need to handle it in PHP.

    I don't want someone trying to put a 100 character address in a 40 character field.
    You can literally "cap" an input field in HTML by adding the "maxlength" tag to it. For example:

    Code:
    <input type="text" name="address" maxlength="40">
    That way, the field will stop accepting any new input if there are 40 characters entered. Try it and see for yourself Especially if your database field is limited (like if it's set to VARCHAR(40)), it's important to also cap your form fields (if you don't have a seperate check for this) to avoid the user from getting SQL errors showing up that they most likely do not understand.
    Servyces.com
    Where itís all about you.
    Your partner in online solutions.
    Visit our website at http://www.servyces.com/

  12. #12
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Servyces View Post
    You can literally "cap" an input field in HTML by adding the "maxlength" tag to it. For example:

    Code:
    <input type="text" name="address" maxlength="40">
    That way, the field will stop accepting any new input if there are 40 characters entered. Try it and see for yourself Especially if your database field is limited (like if it's set to VARCHAR(40)), it's important to also cap your form fields (if you don't have a seperate check for this) to avoid the user from getting SQL errors showing up that they most likely do not understand.
    Okay, that is what I was looking for - and it's easy too!

    Hopefully this will take care of these less important fields for now.

    Next go-round I'll get into the fancier Regular Expressions and the PDO stuff, hopefully.

    Thanks,


    Amy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •