Jump to content
Larry Ullman's Book Forums

Recommended Posts



I'm trying to use a regular expression to limit user input by only allowing all capitol and lowercase letters, numbers, underscore, `, and \. I would like it to be 1-12 characters long and have no spaces. However, when I try to create it and put it into the prce.php, it still allows spaces and more than 12 characters. Here is what I am using:




Any help would be appreciated, thank you. I am using PHP v 5.3.

Link to comment
Share on other sites

To write a negating character class, the caret symbol (^) must be the first character after the opening square bracket.


In the case of the regex that you want, you don't have to worry about negating whitespace characters because a character class will only search for the specified characters and nothing else by default.

As such, your current regex is allowing what you want, but in addition, it's allow caret symbols and whitespace characters too.


The following regex should give you what you want:


Please test it and let me know whether it works or not.

Link to comment
Share on other sites

Hi HartleySan,


I received this error when I tried it: An error occurred in script ************** on line **: preg_match(): Compilation failed: missing terminating ] for character class at offset 12. Here is the code for that:


elseif (preg_match('/[\w`\\]{1,12}/', $trimmed['username'])) {
        $username = mysqli_real_escape_string($dbc, $trimmed['username']);
I then changed it to elseif (preg_match('/[[\w`\\]{1,12}]/', $trimmed['username'])) {
        $username = mysqli_real_escape_string($dbc, $trimmed['username']);
(Added an extra bracket after the first backslash) and tried f-_` and it allowed it. Also tried f -11$%1111 and it worked as well. Just to be clear, I do not want to allow any other characters other than A-Za-z0-9_` and \ and to not allow spaces.
Thanks again for your help.
Link to comment
Share on other sites

Oh, right. I forgot about that.

Because the PHP string parser gets a hold of the regex before the regex parser, you have to escape the backslash escaping the backslash. Sounds insane, I know, but it's true.


As such, the following regex *should* work:

Link to comment
Share on other sites

Just tried that one too, it goes through now but allows things like 'f    -$%fff' as a valid username. If a user were to try to put that in I want it to error out and tell them what is a valid input. Here is the whole validation block:


//Validate username
    if (empty($_POST['username'])) {
        $errors[] = 'Please enter your username.';
    } elseif (preg_match('/[\w`\\\\]{1,12}/', $trimmed['username'])) {
        $username = mysqli_real_escape_string($dbc, $trimmed['username']);
    } else {
        $errors[] = 'Please only use letters, numbers, and underscore.';
Is maybe something else wrong with my setup or in that code?
Link to comment
Share on other sites

Well I'll be.

I haven't used the preg_match function in a while, and I'd kinda forgotten how it works.

The reason it isn't working is because you have to start the regex with ^ and end it with $. Otherwise, the regex matches the string you mentioned above because there is at least one character that does match the regex.


I finally decided to bust out a script myself and test things, so I can finally say with great certainty that the following regex will work and give you what you want:


Sorry for the runaround there. I guess in the future I should just test things from the start.

Link to comment
Share on other sites


  • Create New...