Regular Expression Help

[AJugOrNot]

Hi,

 

I'm trying to use a regular expression to limit user input by only allowing all capitol and lowercase letters, numbers, underscore, `, and \. I would like it to be 1-12 characters long and have no spaces. However, when I try to create it and put it into the prce.php, it still allows spaces and more than 12 characters. Here is what I am using:

 

/[\w^\s`\\]{1,12}/

 

Any help would be appreciated, thank you. I am using PHP v 5.3.

[HartleySan]

To write a negating character class, the caret symbol (^) must be the first character after the opening square bracket.

 

In the case of the regex that you want, you don't have to worry about negating whitespace characters because a character class will only search for the specified characters and nothing else by default.

As such, your current regex is allowing what you want, but in addition, it's allow caret symbols and whitespace characters too.

 

The following regex should give you what you want:

/[\w`\\]{1,12}/

Please test it and let me know whether it works or not.

[AJugOrNot]

Hi HartleySan,

 

I received this error when I tried it: An error occurred in script ************** on line **: preg_match(): Compilation failed: missing terminating ] for character class at offset 12. Here is the code for that:

 

elseif (preg_match('/[\w`\\]{1,12}/', $trimmed['username'])) {

        $username = mysqli_real_escape_string($dbc, $trimmed['username']);

 

I then changed it to elseif (preg_match('/[[\w`\\]{1,12}]/', $trimmed['username'])) {

        $username = mysqli_real_escape_string($dbc, $trimmed['username']);

 

(Added an extra bracket after the first backslash) and tried f-_` and it allowed it. Also tried f -11$%1111 and it worked as well. Just to be clear, I do not want to allow any other characters other than A-Za-z0-9_` and \ and to not allow spaces.

 

Thanks again for your help.

[HartleySan]

Oh, right. I forgot about that.

Because the PHP string parser gets a hold of the regex before the regex parser, you have to escape the backslash escaping the backslash. Sounds insane, I know, but it's true.

 

As such, the following regex *should* work:

/[\w`\\\\]{1,12}/

[AJugOrNot]

Just tried that one too, it goes through now but allows things like 'f    -$%fff' as a valid username. If a user were to try to put that in I want it to error out and tell them what is a valid input. Here is the whole validation block:

 

//Validate username

    if (empty($_POST['username'])) {

        $errors[] = 'Please enter your username.';

    } elseif (preg_match('/[\w`\\\\]{1,12}/', $trimmed['username'])) {

        $username = mysqli_real_escape_string($dbc, $trimmed['username']);

    } else {

        $errors[] = 'Please only use letters, numbers, and underscore.';

    }

 

Is maybe something else wrong with my setup or in that code?

[HartleySan]

Well I'll be.

I haven't used the preg_match function in a while, and I'd kinda forgotten how it works.

The reason it isn't working is because you have to start the regex with ^ and end it with $. Otherwise, the regex matches the string you mentioned above because there is at least one character that does match the regex.

 

I finally decided to bust out a script myself and test things, so I can finally say with great certainty that the following regex will work and give you what you want:

/^[\w`\\\\]{1,12}$/

Sorry for the runaround there. I guess in the future I should just test things from the start.

[AJugOrNot]

Thanks HartleySan! That works perfectly.

 

And no problem with the "runaround", glad you could take some of your time and help me!