Marie Posted January 7, 2012 Share Posted January 7, 2012 My registration form will not accept any name with a space, hyphen or apostrophe, such as O'Meara or Mary-Lou. The form tells me to "Please enter your first name or last name or username - whichever applies. When I take the space, hyphen, or apostrophe out then the form will submit. I am using the code from the Knowledge is Power sight.<?php // Check for a form submission: if ($_SERVER['REQUEST_METHOD'] == 'POST') { // Check for a first name: if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $_POST['first_name'])) { $fn = mysqli_real_escape_string ($connect, $_POST['first_name']); } else { $reg_errors['first_name'] = 'Please enter your first name!'; } // Check for a last name: if (preg_match ('/^[A-Z \'.-]{2,40}$/i', $_POST['last_name'])) { $ln = mysqli_real_escape_string ($connect, $_POST['last_name']); } else { $reg_errors['last_name'] = 'Please enter your last name!'; } // Check for a username: if (preg_match ('/^[A-Z0-9]{2,30}$/i', $_POST['username'])) { $u = mysqli_real_escape_string ($connect, $_POST['username']); } else { $reg_errors['username'] = 'Please enter a desired name!'; } Hoping that someone can shed some light on this problem. Thanks, Marie Link to comment Share on other sites More sharing options...
Josee Posted January 8, 2012 Share Posted January 8, 2012 Have you tried using stripslashes()? Like this for instance: if (preg_match ('/^[A-Z \'.-]{2,20}$/i', stripslashes($_POST['first_name']))) I hope this helps, 1 Link to comment Share on other sites More sharing options...
Marie Posted January 9, 2012 Author Share Posted January 9, 2012 Thanks for posting. The form submitted and I got this in my database - O\'Toole instead of just O'Toole. I was wondering though, why the original code would be incorrect. I was thinking that I may have been missing something in another area, like the config file, or forms function file. Marie Link to comment Share on other sites More sharing options...
Josee Posted January 9, 2012 Share Posted January 9, 2012 Hello, Marie, Your server probably has Magic Quotes on. Look at the escape_data() function at the bottom of page 55. It will show you both how to check that this is the case – just echo the result of if (get_magic_quotes_gpc( )) – and how to solve the problem once for all. But, since you are from Canada, also note that the regular expression, as it is, won't allow for French names with diacritics, such as "Jean-François Desfossés". It only allows the English alphabet. 1 Link to comment Share on other sites More sharing options...
Marie Posted January 9, 2012 Author Share Posted January 9, 2012 Thanks for giving me a heads up with regard to the French accents since there are plenty of French people living in English Canada and eventually I will have to do my site in French as well. I was wondering about my server because I when I tried to register under the site which is on the Larry Ullman website it worked fine. Thanks very much for your help. Link to comment Share on other sites More sharing options...
Marie Posted January 23, 2012 Author Share Posted January 23, 2012 Hello, I have examined this further and discovered that it seems it is just the apostrophes that my form does not accept. The code in the book may or may not be correct as I stated, however, when I Register within the page set up on the Knowledge is Power site within the Larry Ullman website the form there will accept a name with an apostrophe. Supposedly I am using the same code in my sample web site although my page will not accept an apostrophe. When I used the stripslashes code above it accepts it but then the backslash shows up in the database which I have discovered indicated that the code has been escaped twice. Will the slashes show up when the data is retrieved from the database? I got in contact with my server but they cannot offer php support. They have told me that magic quotes is on. The more I check into forums books etc. the more I think this should be simple, however, everything I try does not work. I cannot find anything on this in the "php manual". Thanks. Link to comment Share on other sites More sharing options...
Larry Posted January 23, 2012 Share Posted January 23, 2012 You need to disable Magic Quotes. If you can't do that, then you need to adjust all the code to use stripslashes() when needed. So the solution is simple, but requires sound knowledge of PHP. Link to comment Share on other sites More sharing options...
Edward Posted January 24, 2012 Share Posted January 24, 2012 For people wondering what the disabling part in the "php.ini" file looks like for Magic Quotes here is a copied ; Magic quotes are a preprocessing feature of PHP where PHP will attempt to ; escape any character sequences in GET, POST, COOKIE and ENV data which might ; otherwise corrupt data being placed in resources such as databases before ; making that data available to you. Because of character encoding issues and ; non-standard SQL implementations across many databases, it's not currently ; possible for this feature to be 100% accurate. PHP's default behavior is to ; enable the feature. We strongly recommend you use the escaping mechanisms ; designed specifically for the database your using instead of relying on this ; feature. Also note, this feature has been deprecated as of PHP 5.3.0 and is ; scheduled for removal in PHP 6. ; Default Value: On ; Development Value: Off ; Production Value: Off ; http://php.net/magic-quotes-gpc magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. ; http://php.net/magic-quotes-runtime magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). ; http://php.net/magic-quotes-sybase magic_quotes_sybase = Off Link to comment Share on other sites More sharing options...
Marie Posted January 25, 2012 Author Share Posted January 25, 2012 Thank you for all the helpful information. I am still experimenting with different codes etc. The following did not work for me - Use Sybase-style magic quotes (escape ' with '' instead of \'). Also, it seems that it is not possible to turn Magic Quotes off at the server level so I am still playing around with escaping and stripslashes etc. Josee is right about foreign accets. The form will not accept those either. SO, back to the web site. Marie Link to comment Share on other sites More sharing options...
Josee Posted January 26, 2012 Share Posted January 26, 2012 For your forms to accept French diacritics, you just need to add them to the regular expression, like this (since the match is case insensitive, no need to add lower-case characters): preg_match('/^[A-Z ÀÂÄÆÇÈÉÊËÎÏÔŒÙÛÜŸ\'.-]{2,20}$/i', $_POST['first_name']) And if you want them to accept all European languages using the Latin alphabet, this should do it (all on one line, of course): preg_match('/^[A-Z ÀÁÂÃÄĀĂĄÅÆÇĆĈĊČĎĐÐÈÉÊËĒĔĖĘĚĜĞĠĢĤĦÌÍÎÏĨĪĬĮİ IJĴĶĸĹĻĽĿŁÑŃŅŇʼnŊÒÓÔÕØŌŎŐŒŔŖŘߌŜŞŠŢŤŦÙÚÛÜŨŪŬŮŰŲŴÝŸŶŹŻŽſÞð\'.-] {2,20}$/i', $_POST['first_name']) I hope this helps, 1 Link to comment Share on other sites More sharing options...
Marie Posted February 4, 2012 Author Share Posted February 4, 2012 Thank you. This does help. That is one amazing line of accents but I can't forget anyone. It is possible that I will have to set up the sites in different languages - in the furture. Still working on the apostrophe problem. I set up a testing server on my machine and it works fine which is logical because I probably don't have magic quotes enabled. So, back to php. Link to comment Share on other sites More sharing options...
Marie Posted February 5, 2012 Author Share Posted February 5, 2012 Okay this is what I have done that seems to work so far. The data is being entered and there are no slashes in the database. I followed the advice given above for the form validation and added stripslashes before the $_POST. This allowed my form to accept the apostrophe in the name. THEN I added stripslashes to the SQL code that enteres the values into the database. // Check for a first name: if (preg_match ('/^[A-Z \'.-]{2,20}$/i', stripslashes($_POST['first_name']))) { $fn = mysqli_real_escape_string ($connect, $_POST['first_name']); } else { $reg_errors['first_name'] = 'Please enter your first name!'; } // Check for a last name: if (preg_match ('/^[A-Z \'.-]{2,40}$/i', stripslashes($_POST['last_name']))) { $ln = mysqli_real_escape_string ($connect, $_POST['last_name']); $q = "INSERT INTO users (username, email, pass, first_name, last_name, date_expires) VALUES ('$u', '$e', '" . get_password_hash($p) . "', '" . stripslashes($fn) . "', '" . stripslashes($ln) . "', SUBDATE(NOW(), INTERVAL 1 DAY) )"; 1 Link to comment Share on other sites More sharing options...
Marie Posted March 13, 2012 Author Share Posted March 13, 2012 Just curious about another aspect of this whole thing. IF I treat this registration form in the same manner as the add_pdf file, and use this code - if (!empty($_POST['title'])) { instead of - if (preg_match ('/^[A-Z \'.-]{2,40}$/i', $_POST['organization'])) { Everything seems to get entered into the data base just fine, including apostophes and other foreign characters. So I am now wondering why anyone would use the preg_match code. Marie Link to comment Share on other sites More sharing options...
Larry Posted March 14, 2012 Share Posted March 14, 2012 Because preg_match() is more secure. Link to comment Share on other sites More sharing options...
Recommended Posts