Illegal Characters

obrienkev

Hi all,

How do I check if a user has entered an apostrophe or other illegal characters in a form field?? Below is my code...


if(!$field || $field == ''')
{
  $error_message['field'] = 'Please Remove Backslash or Apostrophe';
}

laserlight

Instead of asking: What should I not allow?
Ask: What should I allow?

Then, you can use regex to validate it.

NogDog

Also, it might be worth asking at this point why you want to disallow those characters: is it because they logically should not belong in that type of data, or simply because they generate an error somewhere in your application? If the latter, then the better answer might be to fix the ability of your code to handle those inputs (such as using [man]mysql_real_escape_string[/man] when adding the value to the database or [man]htmlspecialchars[/man] with the ENT_QUOTES option when outputting it back to the user).

MarkR

It is good practice to both validate data and escape it correctly when using it in a database although strictly speaking, only the validation step may be required.

You should probably have an application-wide standard for how to correctly escape data going into the DB - prepared queries are ideal.

Validating against a set of characters is quite a useful thing to do, you might wish to write a function to do this, either with a regexp or some other way.

Finally, I have a routine which I use to detect things which are just too stupid to ever be required, which is called on every page, and spits out a 400 error if unusual ascii control characters appear anywhere in the GET or POST data and in a few other stupid cases.

Mark