Hi everyone,

I am sorting out my form submissions. I am currently using preg_match validate. I want to change the code for validation for names that include ' etc such as o'reilley. should I use preg_match to do this or something else. I am very new to php and programing in general so I appologise for my ignorance.

here is my code

if(preg_match('/^[a-zæøåÆØÅ_-]{1,}$/i', $_POST['surname'])){ 
            $last = $_POST['surname'];     

    }

    else {
    $error1 .= "You didn't write a Surname!";
    $errcount++;  


    }

Another question,

Once i have validated the form I then need to submit the data into my database, I have been doing this fine with standard names but i believe i need to use addslashes() when inserting data following the validation. Please advise if I am on the right track,

Many thanks roscor

    For the regex, just add an escaped quote to the character class:

    '/^[a-zæøåÆØÅ_-[color=red]\'[/color]]{1,}$/i'

    As far as making inputs safe for use in SQL, if you're using MySQL, look at the mysql_real_escape_string() function.

      Hi NogDog,

      Many thanks for the quick reply,
      I tried your suggestion but got this error,

      <b>Warning</b>:  preg_match(): Compilation failed: range out of order in character class at offset 13 in </b> on line <b>19</b><br />

      Where line 19 is

      if(preg_match('/^[a-zæøåÆØÅ_-\']{1,}$/i', $_POST['surname'])){

      any other suggestions,

        Sorry, switch the order so the hyphen is the last thing in the character class. (The error is occurring because it's thinking I meant a range of characters from underscore to backslash.)

          Been trying but I cannot place the hyphen any where within the character class, the same error message is shown, I will keep going at it,

          cheers roscor

            I have looked at Pattern syntax on php.net and changed

            if(preg_match('/^[.a-zæøåÆØÅ_-]{1,}$/i', $_POST['surname'])){

            to

            if(preg_match('/^[.a-zæøåÆØÅ\S_-]{1,}$/i', $_POST['surname'])){

            Where \S is described as "any character that is not a whitespace character"

            When my form validates it changes O'reilly to O\'reilly displaying it to the user. this is obviously not good to show to the user, any ideas why it does this and should I be using a different approach,

            Thanks roscor

              If magic_quotes is enabled, then PHP is automatically escaping quotes in your form submissions. You might want to do something like:

              foreach($_POST as $key => $val)
{
  if(get_magic_quotes_gpc())
  {
    $_POST[$key] = stripslashes($val);
  }
}

              Note: it is then important that any such data that will be used within a database SQL statement be made "safe" via a function such as mysql_real_escape_string().

                Many thanks for that NogDog,

                I am now realy struggling with the whole addslashes(), stripslashes(), mysql_real_escape_string() thing. I am working through many of the phpbuilder threads along with php.net but as a newbie its abit daunting.

                I understand(i think) how it all works, but would be very appreciative of any plain talk on how the whole set up should work.

                  One approach:

                  1. Put the code in my last reply in your script before you interact with the $_POST values.

                  2. Do your form validation stuff against the now unescaped values in $_POST.

                  3. When building your SQL statements, use mysql_real_escape_string() to make the data safe for and parse-able by MySQL:

                    $sql = sprintf("INSERT INTO table_name VALUES('%s', '%s', '%s')",
               mysql_real_escape_string($_POST['value1']),
               mysql_real_escape_string($_POST['value2']),
               mysql_real_escape_string($_POST['value3']));
$result = mysql_query($sql) or die ("Query failed: $sql - " . mysql_error());

                    Hi I used the code

                    foreach($_POST as $key => $val)
{
  if(get_magic_quotes_gpc())
  {
    $_POST[$key] = stripslashes($val);
  }
}

                    in the initial form, I then tried your later suggestion and placed

                    //mysql_connect($host,$username,$password);
mysql_select_db($database) or die( "Unable to select database");
 $query = sprintf("INSERT INTO tenant_details VALUES ('','$last','$first','$male','$dob','$landlordloid','$date')",
mysql_real_escape_string($_POST['surname']),
               mysql_real_escape_string($_POST['firstname']),
               mysql_real_escape_string($_POST['male_female']),
               mysql_real_escape_string($_POST['dob']),
               mysql_real_escape_string($_POST['landlordid']),
               mysql_real_escape_string($_POST['datesubmitted']));
$result = mysql_query($sql) or die ("Query failed: $sql - " . mysql_error());

                    Like such. This caused a query failed on every execute no matter what the das was being recovered(ie smith). I took out the latter and just used the first peice of code this again allowed me to to place and also view data. when the data incorporates a ' as in o'reilly the data as stored as such onto the database but i cannot recover and display it. Hope this is clear. I will keep going and jsut hope i dont mess up the code which i have wrote. Many thanks roscor (here is my code).
                    tenantinput.php.

                    <? session_start();
if(!session_is_registered('valid_user')){
    header("location:../userlogin.php");
}
else
{ 
}

foreach($_POST as $key => $val)
{
if(get_magic_quotes_gpc())
{
$_POST[$key] = stripslashes($val);
}
}
//echo session_id();
if ((isset($_POST["submit"])) == "send") {
   $errcount = 0;
   $error1="<span style='color:red'>";
   $error2="<span style='color:red'>";
   $error3="<span style='color:red'>";
   $error4="<span style='color:red'>";    
                    
   $error15="<span style='color:red'>";
   $error16="<span style='color:red'>";
   //check if someone has filled out a form
//validate name
    if(preg_match('/^[.a-zæøåÆØÅ\S_-]{1,}$/i', $_POST['surname'])){ 
           $last = $_POST['surname'];     
                    
    }

    else {
    $error1 .= "You didn't write a Surname!";
    $errcount++;  


    }
  if(preg_match('/^[a-zæøåÆØÅ_-]{1,}$/i', $_POST['firstname'])){
    $first = $_POST['fisrtname'];     
}

    else {
    $error2 .= "You didn't write a Firstname!";
    $errcount++;  

    }  

     if(preg_match('/^[a-zæøåÆØÅ_-]{4,}$/i', $_POST['male_female'])){
    $male = $_POST['male_female'];     
}

    else {
    $error3 .= "You didn't write Male or Female!";
    $errcount++;  

    }


    if (preg_match("/^(0[1-9]|[1-2]{1}[0-9]{1}|3[0-1]{1})-(0[1-9]{1}|1[0-2]{1})-(19[\d]{2}|200[0-5])$/", $_POST['dob'])){        
    $dob = $_POST['dob'];     

}

    else {
    $error4 .= "You didn't write a Date Of Birth!";
    $errcount++;  

    }     

if ($errcount !=0) {
         //displays errors in form boxes
    }
        else {

 include("dbinfo.inc.php");

 $last= mysql_real_escape_string($_POST['surname']);
 $first= mysql_real_escape_string($_POST['fistname']);
 $male=$_POST['male_female'];
$dob=$_POST['dob'];
$landlordloid=$_POST['landlordloid'];
$date=$_POST['datesubmitted'];      

mysql_connect($host,$username,$password);

@mysql_select_db($database) or die( "Unable to select database");

$query="SELECT * FROM tenant_details WHERE surname='$last' and firstname='$first' and male_female='$male' and dob='$dob'";

$result = mysql_query($query);

if(mysql_num_rows($result) == 1){
               $last=mysql_result($result,0, 'surname');
               $first = mysql_result($result,0, 'firstname');
               $male =mysql_result($result,0, 'male_female');
               $dob =mysql_result($result,0, 'dob');
               $_SESSION['ten_surname']=$last;
               $_SESSION['ten_firstname']=$first;
               $_SESSION['ten_male_female']=$male;
               $_SESSION['ten_dob']=$dob;

          echo '<meta http-equiv="refresh" content="0;url=gettd.php">';    

    } else {  

            $last=$_POST['surname'];
            $first=$_POST['firstname'];
            $male=$_POST['male_female'];
            $dob=$_POST['dob'];
            $landlordloid=$_POST['landlordloid'];
            $date=$_POST['datesubmitted'];  
           $_SESSION['ten_surname']=$last;
           $_SESSION['ten_firstname']=$first;
           $_SESSION['ten_male_female']=$male;
           $_SESSION['ten_dob']=$dob;


      echo '<meta http-equiv="refresh" content="0;url=tenantper.php">';

         }
}
}

?>

                    gettd.php

                    <?



  include("dbinfo.inc.php");

$date=$_POST['datesubmitted'];
$last=$_SESSION['ten_surname'];
$first=$_SESSION['ten_firstname'];
$male=$_SESSION['ten_male_female'];
$dob=$_SESSION['ten_dob'];


mysql_connect($host,$username,$password);

mysql_select_db($database) or die( "Unable to select database");

 $query="SELECT * FROM tenant_details WHERE surname='$last' and firstname='$first' and male_female='$male' and dob='$dob'";

$result=mysql_query($query);


$num=stripslashes(mysql_numrows($result));

echo "<b><center>Database Result</center></b><br><br>";

$i=0;

while ($i < $nu) {

$i++;

}

if ($num==0) {

?>

                    tenantper.php

                    <? session_start();


if ($_SESSION['posted'] == 1){
   echo 'you have already posted data';
   exit;
} else {

              include("dbinfo.inc.php");

   $last=$_POST['surname'];
 $first= $_POST['firstname'];
$male=$_POST['male_female'];
$dob=$_POST['dob'];
$landlordloid=$_POST['landlordloid'];
$date=$_POST['datesubmitted'];


mysql_connect($host,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
 $query = "INSERT INTO tenant_details VALUES ('','$last','$first','$male','$dob','$landlordloid','$date')";
 mysql_query($query);


         echo '<meta http-equiv="refresh" content="0;url=gettd.php">';
        // echo "<script>window.location='tenantper.php'</script>";
     }




?>

                      thanks for your help NogDog, plus traulinh through threds has helped. I eventually used Addslashes() stipslashes() to sort my data retrieval as such,

                      for others.

                      $whatever = stripslashes ($_GET['table_data']);
                      this following the database connect and mysql query.

                        Write a Reply...