problem using REGEXP in mysql_query

wil831

if i have line like

mysql_query("SELECT * FROM table WHERE column REGEXP '^($query)$'");

and a search form, how do i prevent people from doing something like $query="..."; to match all?

dnszero

The best way to avoid that is not to send any user input to a regex.

You could write a set filters to sanitize the input, by removing all special chars or whatnot, but that basically would defeat the point of using a regexto begin with. Unless you have a very good reason for letting users have access to such a powerful tool, it's better to use LIKE instead. And even then you should still pay attention to the input.

wil831

so when should REGEXP be used in a query?

dnszero

Generally, I only use regex's in a query only when there's no other way to
solve the problem. And even then, I'd think long and hard about it before
putting user input in one. It would be extremely difficult to escape everything
potentially troublesome while still leaving enough functionality to make it
worthwhile.

To get rid of the regex in your example above, use this instead:

"SELECT * FROM table WHERE column = '$query'"

Of course, I'm assuming that the column field has no newlines in it. If
that's not the case and you really do need to match 1 entire line exactly
(which is what your original example did), then it you could still do that
safely with a regex if you first removed or escaped all special chars from user
input.

If you need to provide some form of wildcard searching, you can use LIKE.
While not nearly as powerful as a regex, this type of search is much
easier to sanitize (remove malicious code from) and generally provides all
the functionallity average users require (ie, just simple wildcard matches). I
don't know if it provides any sort of begining and end of line anchors,
however, it seems extremely unlikely for that feature to be very usefull in
such a query.

You might also check out mysql's match() funtion. I don't really know
much about it, but seems like it might be helpful.