User input validation question

brailleschool

Hi all:

I have an input field called comments and I would like to only allow letters A-Z, a-z, numbers 0-9, punctuation and spaces. Any other input should not allow an insert into a backend DB. This is what I have so far and it's allowing anything. Please advise where I am going wrong. Thanks in advance.

<?
include("config.php");

if (!eregi("^[A-Za-z0-9_ ]+$", $comments)) 
{
echo "The message must be in the English language for you to send.  Rectify and try again. ";
}
else
{
$connection = mysql_connect("$server","$contactform_dbuser", "$contactform_dbpass");
$db = mysql_select_db("$contactform_database", $connection);
$query = "select * from $inputinformation";
$query = "insert into $inputinformation (`name`,`username`,`email`,`comments`,`contact`) values ('$name','$username','$email','$comments','$contact')";
$result = mysql_query($query, $connection);
echo "Your message has been sent to the Braille School Administration, and someone will be contacting you shortly if you requested a reply.  <a href=\"http://www.brailleschool.com\">Proceed back to the Braille School website.</a>";
}
?>

MarkR

Don't use ereg, use preg. It's the recommended regular expression function group.

I guess there's something wrong with your regexp, but I can't see what.

It's not necessary to do A-Za-z if you're doing a case insensitive match anyway.

Preg has a different (and much more powerful) syntax from ereg, I'd do preg_match('/^[a-z0-9 ]+$/i', $comments) or something

As a side note, you're not correctly escaping the various variables that are being inserted into the database.

Mark