Validate or AddSlashes?

szym9341

I am using the following function for basic text fields on my form. I have looked up the ereg function and haven't been able to figure out the A-Za-z0-9 stuff too well. How do I allow the following entries to be made, yet have my system still safe from injections? Should I be using addslashes rather than this function?

desired entry examples:
1) first-run
2) O'Reiley

Thanks.

    // Validate text only
    function validateTextOnly($theinput,$description = ''){
        $result = ereg ("^[A-Za-z0-9\ ]+$", $theinput );
        if ($result){
            return true;
        }else{
            $this->errors[] = $description;
            return false; 
        }
    }

csn

Just do:

if !get_magic_quotes_gpc()
$field = pg_escape_string($field);

BTW, preg is recommended over ereg.

MarkR

You should always use the correct escaping function for every string going into the database - even if you THINK that it will probably not contain any strings which you think need escaping.

Validation is a separate topic and should be done on another level.

Normally I'd say, use a system to automatically correctly escape strings - some sort of DB access layer like DB_DataObjects, or use prepared queries with PEAR DB (Although I'm not 100% convinced about that).

If you try to add the code to correctly manually escape every string in your application into the database, you will fail. So don't do it.

Mark

csn

It's trivially easy to handle escaping without bloating your code by adding an entire library.