[Resolved] disallowed characters

ajdegans

Im wondering how to make it so that when a user registers for my website they are not allowed to use special characters in the username and password...

i wrote this:

if(eregi(':;[]{}"\'\<\>,.!@#$%^\&*()-_+=', $password)) {
//do something
} else if(eregi(':;[]{}"\'\<\>,.!@#$%^\&*()-_+=', $username)) {
//do something again
}

in the code are some backslashes but they wont show here... :S

but it wont work, it shows me an error, though i have no redirect in my script it continues to another page withing the second... so i could not post it here..

but i saw flashing by that the eregi didnt work well and it was a warning about it...

Anyway. i looked at php.net and didnt find anything else but mail validators :S so im asking here... how do i fix this 🙂

thanks in advance!! 😕

Installer

Write a test script so that the warning doesn't flash by, then see what the warning says.

ajdegans

took a while, but heres the error:

Warning: eregi(): REG_EBRACK in /var/www/virtual/scripts/zeroblog_v1.2/panel/adduser.php on line 50

line 50 is this one:
if(eregi(':\;[]{}\"\'<>,.!@#$%^\&*()-_+=', $password)) {

Weedpacket

Well, apart from the fact that your syntax highlighting is mangled, which I may put down to vBulletin being odd, you never actually say anything about "any one of these characters".

'[b][[/b]:;\[\]{}"\'<>,.!@#$%^\&*()_+=\-[b]][/b]'

Noting that [, ] and - all have special meanings in character classes.

But are you sure those are the only characters that you don't allow (and what is your criterion)? What about © or ∞?

ajdegans

well basically i want to rule out uncommen characters. I typed these up, but i want tot allow ONLY normal chars. no goofy stuff as usernames and passwords...

Obviously the list i use now is not complete... didnt think of the copyright stuff at first. But good of you to mention them 🙂

maybe its easier to check if theres nothing else than regular chars and numbers?

and yes vbulletin is being odd for highlighting pieces of syntax.

laserlight

maybe its easier to check if theres nothing else than regular chars and numbers?

Yes, and safer too.

Actually, if you process and store a hash (say SHA1 hash) of the password, you dont have to worry about checking it.

ajdegans

and how do yo udo that :o

laserlight

[man]sha1/man

ajdegans

heh, i looked at the function, but i dont really see how this is helping me 🙁

also im wondering, what is wrong with just a simple eregi function?

im not trying to make an online vault or something.. or is this the normal way of exculding chars?

still the noob

laserlight

also im wondering, what is wrong with just a simple eregi function?

Nothing (though preg_match() might be better), except that you're looking for the wrong set of characters.

ajdegans

Originally posted by Weedpacket
'[b][[/b]:;\[\]{}"\'<>,.!@#$%^\&*()_+=\-[b]][/b]'

i tried that, just now.

it give me this on load of the page:
Parse error: parse error, unexpected ',' in /var/www/virtual/scripts/zeroblog_v1.2/panel/adduser.php on line 50

so i added a \ before the ' in the middle, now it seems. its not checking for the chars listed, atleast it continues like nothing is wrong 🙁:queasy:

laserlight

Consider something along the lines of:

if (preg_match('/[0-9A-Za-z\_]/' $str)) {
	//$str contains only alphanumeric characters and underscore
} else {
	//$str invalid
}

ajdegans

yes, you mentioned preg_match() earlier, i was just looking in to that on php.net 🙂

thanks so far !:p

laserlight

sorry, but I just noticed that I got the check opposite....

if (preg_match('/[^0-9A-Za-z\_]/' $str)) {
	//$str invalid
} else {
	//$str contains only alphanumeric characters and underscore
}

i.e. look for characters not in the list, and if any are found, the string is invalid.

ajdegans

i was thinking of this

if(!preg_match('/[^0-9A-Za-z\_]/', $str)) {
print "<form action='adduser.php' method='post' name='form'>";
print "Password has invalid characters."; 
print "<input type='hidden' name='status' value='$status'>";
print "<input type='hidden' name='username' value='$username'>";
print "<br>Password: <input type='text' name='password' size='40'>";
print "<br>Confirm: <input type='text' name='password2' size='40'>";
print "<br><br><input type='submit' name='submit' value='RETRY'></form>";
} else if($password!=$password2) {
//error
}

gonna test now... 🙂

ajdegans

alright above code doesnt work...

this does:

if(preg_match("/[^0-9A-Za-z_]/i", $password)) {
print "<form action='adduser.php' method='post' name='form'>";
print "Password has invalid characters. Only alpha-numeric chars are allowed."; 
print "<input type='hidden' name='status' value='$status'>";
print "<input type='hidden' name='username' value='$username'>";
print "<br><br>Password: <input type='text' name='password' size='40'>";
print "<br>Confirm: <input type='text' name='password2' size='40'>";
print "<br><br><input type='submit' name='submit' value='RETRY'></form>";
} else if($password!=$password2) {

though im wondering:

i saw /i means case insensitive...
/b sets a word boundary
but what does ^ do?
also the forwarding / and trailing / i do not fully understand. what do they exactly do 😕

Anyway, Thanks laserlight, weedpacket, installer for helping me out once again!!

Weedpacket

preg_match with

/^[ 0-9A-Z_-]$/i

will ensure that only English letters, (Arabic) digits, the underscore, space, and hyphen characters are allowed.

For details on the syntax, see here. Skip the section on "Differences from Perl". Also, the / is a delimiter that acts to separate the expression from any switches that may follow (like 'i'); search the forums on "regexp delimiter" if you like. (Here: like this one, which is how I knew the search would work).

ajdegans

awesome,

a new bookmark has been made 🙂😉

thanks again!