I have the regex pattern [A-Za-z' -]{1,50}$ it works fine apart from it doesnt allow ' even though some software im using (The Regex Coach) says it should allow ' (e.g. o'reilly should be ok) but when I try to use it in php it returns an error (my error saying its not allowed). Here is the bit of PHP code im using:

if(preg_match("/^[A-Za-z' -]{1,50}$/",$fname)){


}else{ $dont_send=1; echo "First Name Must be a-z or A-Z only<br />";}

This should allow a-z,A-Z,-,' and spaces but for some reason it wont allow '

Any ideas why this isn't working? Thanks.

    Just a thought, do you by any chance have the dreaded magic_quotes_gpc setting turned on? If so, then any form input with a single quote in it would have a back-slash escape character inserted before the quote.

      @ - ur a star it must be that. I just check using phpinfo() and its turned on. I have read about those before but never knew it was turned on with mine. Shall I turn it off? Is there a way I can temp turn it off to test?

        madhead29 wrote:

        Shall I turn it off?

        Without a doubt - yes.

        madhead29 wrote:

        Is there a way I can temp turn it off to test?

        Not sure why you'd want to do it temporarily, but you could try using a .htaccess file if PHP was installed as an Apache module (thus allowing you to use the php_flag directive) - see this manual page for more info: [man]configuration.changes[/man].

          madhead29 wrote:

          Shall I turn it off?

          Without a doubt - yes.

          madhead29 wrote:

          Is there a way I can temp turn it off to test?

          Not sure why you'd want to do it temporarily, but you could try using a .htaccess file if PHP was installed as an Apache module (thus allowing you to use the php_flag directive) - see this manual page for more info: [man]configuration.changes[/man].

          EDIT: Also, more about magic quotes (including how to disable them): [man]security.magicquotes[/man].

            @ - thanks for the reply - I have turned it off and it works!. Would it be hard to allow foreign characters aswell like é? or would i be better off using the preg_match to just check for stuff like ><{}%&*()|¬$ and then say those are not allowed if it finds them?

              I'll have to defer to someone else who has more experience with character matching with international considerations.

              I will say that >90&#37; of the time, it's far easier to have a whitelist of allowed characters than try to create a blacklist of everything you don't want.

                yeh i think i will have a look into it. This is for security so I want to disallow any characters that they could use to cause trouble or hack the site with i cant see there being that many and hopefully ><{}%&*()|¬$ should take care of alot of the hacks but I will look into it thanks for your help :-)

                  I don't know what you mean by "hack the site", but you should always employ generic data sanitization rather than just trying to develop intricate blacklists (IMHO, anyawy). For example, use something like [man]mysql_real_escape_string/man or prepared satements when using user-supplied data in SQL queries, and use something like [man]htmlentities/man or [man]strip_tags/man when displaying user-supplied data to prevent things like XSS.

                    Write a Reply...