Better way to write this regular expression?

MarkB423

I've noticed that a lot of regular expressions allow invalid characters to be added to the beginning and end of a string, posing a serious security risk if you use regular expressions to validate data... for instance:

"(0-9a-zA-Z)+" allows alphanumeric characters only... or does it?

As long as you have a digit or letter from a-z (or A-Z) somewhere in your input, anything else can get through simply by appending it to the end or beginning of the string...

so I write the above expression as follows:

"^{([0-9a-zA-Z]+)([0-9a-zA-Z]+)$"}

which basically says that the string has to begin AND end with alphanumeric characters...

Does anyone know of a way around the long-winded version that I came up with?

tijger

hi MarkB423,

^{([0-9a-zA-Z]+)$} should work for you.

^(allowed chars)$

greetings, tijger

mrmufin

How about something like:

$str = '*$#abcd123?!';
if(preg_match("/^([A-Z0-9]+)(.+)([A-Z0-9]+)$/i",$str)) {
	// matches
} else {
	// doesn't match
}

I haven't done a lot of testing on it, but it appears to allow anything in the middle of a string (as your question implies, but your reg_exps do not), while assuring that the string starts and ends with only letters or numbers.

Aren't reg_exps fun...?