Is preg_match safe enaught in input satinization?
Posted
by DaNieL
on Stack Overflow
See other posts from Stack Overflow
or by DaNieL
Published on 2010-04-12T14:38:14Z
Indexed on
2010/04/12
14:43 UTC
Read the original article
Hit count: 476
Im building a new web-app, LAMP environment... im wondering if preg_match can be trusted for user's input validation (+ prepared stmt, of course) for all the text-based fields (aka not html fields; phone, name, surname, etc..).
For example, for a classic 'email field', if i check the input like:
$email_pattern = "/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)" .
"|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}" .
"|[0-9]{1,3})(\]?)$/";
$email = $_POST['email'];
if(preg_match($email_pattern, $email)){
//go on, prepare stmt, execute, etc...
}else{
//email not valid! do nothing except warn the user
}
can i sleep easy against the sql/xxs injection?
I write the regexp to be the more restrictive as they can.
© Stack Overflow or respective owner