Hi.

I'm having a little problem with apostrophes in a reular expression.

Here is my current (working) code:



Obviously failstring.html is my error message, and guestbook.html is my ok message.

This code currently checks for anyting other than a-Z, 0-9, _ , ! ( ) ? . - and fails if it finds anything.

I want to include apostrophes in this list, but keep getting an error message at the preg_match line. Basically, I think the apostrophe in the regular expression makes it think the string has ended. I have tried escaping the character.

Any ideas?

Thanks, swordz

then use double quotes to surround the expression
instead of

use


Worth a shot.

You don't actually have to escape all characters within a character class, so this is perfectly valid:

Thanks for your help so far.

However, I've been reading the php manual/talking on the IRC and I've now gone for a slightly different approach.



I then enter $comments into a MySQL. However, it's blank, even if the original entry doesn't contain any punctuation. It's connecting fine, as there are other fields which are being filled fine. Just this one...

More help?

thanks,
swordz.

I'm a little confused, what is this check actually preventing?

POSIX : [:punct:] expanded is '-!"#$%&'()*+,./:;<=>?@[\\\]_`{|}~'

This basically doesn't leave a lot of characters that are actually filtered, it allows HTML to be posted... if you're trying to prevent XSS use something like this on output:



If you're checking against white space, either trim and check the value, or preg_match [^\s] or a positive match of [/S] (any character except white space).

Yes, I am trying to prevent XSS.

I have a guest book stored in MySQL, and this is the comment they leave. Basically, I need to allow enough characters for them to be able to leave a comment, so quotes, punctuation, but then don't want problems when I enter it into MySQL.

My first method was quite restrictive, and I couldn't get ' allowed, so I've now tried allowing a lot, and have to stop it messing with MySQL.

If you have a better method, I'll use it!

swordz

Yeah, use the above example on output, it won't hurt the database if entered without stripping providing you mysql_real_escape_string'd it on input. This gives you the flexibility of allowing them to input pretty much anything and have it outputted in a safe way.

OK, will do!

Thanks a lot!

Just to confirm,


thanks!

swordz

EDIT: Just tried this, and it gives me a blank input to my MySQL. I'll try and find where the problem is...
EDIT: The first problem was me being new to this - didn't realise you had to be connected before you call mysql_real_escape_string! Now I need to undo this editing though...
FINAL EDIT: It's working - thanks for the guidance!

Close but you want to htmlspecialchar it on output, not input, so something like:

The insertion:


The output:

Ah! I see! I have just run into problems caused by that...

Thanks!

swordz