July 8, 2009 - 9:42pm
July 27, 2009 - 9:14am
Some things I'd note: You
Some things I'd note:
-
You say you:
only want to allow A-Za-z0-9 spaces, commas, and curved brackets
But your pattern also has a hyphen in it
-
When you have pattern in which you wish to list an acceptable range of characters inside of square brackets, and you want a hyphen in that char range, the hyphen should be the last item in the square brackets. As you wrote it, you have the following inside the square brackets:
- Uppercase A through uppercase Z
- Lowercase a through lowercase z
- Numeric char 0 through numeric char 9
- Open-parenthesis char
- Close-parenthesis char through comma char
- Space char
The problem is that the hyphen char has special meaning inside of square brackets which is to express a range of chars. (This is probably the source of your allowance for "bad" chars) Placing one at the end tells the regex engine you wish to have the hyphen char included in the char range.
- You're using a negation pattern, which is fine, but I generally find it easier on my mind to keep it positive when possible
- To keep the pattern shorter, I'd remove the a-z from the char range and make the pattern case-insensitive
Those things in mind, try this:
<?php
$allowedCharPattern = '/^[A-Z0-9 ,()-]+$/i';
if( preg_match( $allowedCharPattern, $_GET['l'] ) )
{
//all chars are good
}
else
{
//bad char detected
}
?>
Hello, I've got some user input going into file.php?l=
I only want to allow A-Za-z0-9 spaces, commas, and curved brackets,
and if anything else is there, give an error.
At the moment it does stop $ or ^ or & ...
but not *,
also it doesn't stop r% or "asa or a£a
which I would like it to.
Any help would be greatly appreciated, thanks.
$expr = '/^[^A-Za-z0-9()-, ]+$/';$p = preg_match($expr,stripslashes(urldecode($_GET['l'])));
if($p==0) {
//all is fine, go ahead
}
else {
//error, get out of there
}