eregi
Moderator: General Moderators
-
spacebiscuit
- Forum Contributor
- Posts: 390
- Joined: Mon Mar 07, 2005 3:20 pm
eregi
Hi,
I recently changed the version of PHP running on my server from version 5.2 to 5.3.
Now when I run one of my scripts its says a function has been depreciated: eregi
Looking at my script I am wondering if it was ever correct. What I want to do is check a string for bad characters. The bad characters are stored in an array so it's the needle in a haystack scenario.
Any suggestions, my initial thought were to use preg_match but I don't think I can call this function with an array can I?
Thanks in advance!
I recently changed the version of PHP running on my server from version 5.2 to 5.3.
Now when I run one of my scripts its says a function has been depreciated: eregi
Looking at my script I am wondering if it was ever correct. What I want to do is check a string for bad characters. The bad characters are stored in an array so it's the needle in a haystack scenario.
Any suggestions, my initial thought were to use preg_match but I don't think I can call this function with an array can I?
Thanks in advance!
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: eregi
Not sure what you mean by "I don't think I can call this function with an array can I?" There is a preg equivalent for every one of the old ereg functions.
See the PHP manual.
Code: Select all
eregi('foo', 'This is foo.', $matches);
preg_match('/foo/i', 'This is foo.', $matches);(#10850)
Re: eregi
For what it's worth, you should probably be making sure the string is entirely valid characters, not that it doesn't contain any invalid characters. Whitelist versus blacklist. The difference is subtle. Are you sure you've included every possible character that is invalid? Are 0x7F-0xFF valid? If not did you include them in your array? How about 0x00-0x1F? Also, keeping the characters in a string makes them easier to deal with: both preg_match() and most every other string function will want a string of characters and not an array of them.
Re: eregi
Very good advice!requinix wrote:Whitelist versus blacklist. The difference is subtle. Are you sure you've included every possible character that is invalid?
Code: Select all
if (!preg_match('/[a-z0-9_-]+/i',$strValue)) {
echo "there was an invalid character, Must contain only letters, numbers, hyphens and underscores";
}
-
spacebiscuit
- Forum Contributor
- Posts: 390
- Joined: Mon Mar 07, 2005 3:20 pm
Re: eregi
Thank you for the replies. Maybe I should be a little more detailed about what I am trying to do.
I am checking a string submitted via form for some 'bad' words which I have stored in an array. For example:
As you can see I am checking for malicious code injection. I have come up with this so far:
I think I need to use the escape charater before my variable '$string' but this isn't working because I can't find any matches when I test.
Any thoughts.
Thanks!
I am checking a string submitted via form for some 'bad' words which I have stored in an array. For example:
Code: Select all
$bad_strings = array("content-type:", "mime-version:", "multipart/mixed");Code: Select all
foreach($bad_strings as $string){
if(preg_match('!.(/$string_to_test).!', $string)){
echo "<p>Bad string found!</p>";
exit;
}
}Any thoughts.
Thanks!
-
spacebiscuit
- Forum Contributor
- Posts: 390
- Joined: Mon Mar 07, 2005 3:20 pm
Re: eregi
Ok I have made some prgress, I have this coded now:
If I throw it '1abc2' a match is found which is how I want it to work but I don't understand why the match is found because I thought I would have had to specify numberic characters such as:
I'm a little confused....
Code: Select all
$bad_strings = array("abc", "def", "ghi");
foreach($bad_strings as $string){
if(preg_match("!$string!", $str_to_test)){
echo "<p>Bad string found!</p>";
exit;
}
}Code: Select all
preg_match("![0-9]*$string[0-9]*!", $str_to_test);Re: eregi
The way you are doing it, it is matching because one of the $bad_strings was found, "abc". preg_match, unless told to matching beginning and/or end of strings will look for it anywhere in what it is checking. Here are some examples (not I used the standard / instead of ! just out of typing habits)
/abc/ = find the text abc anywhere in it.... abc, abcd, 123abc, 123abcdef all match, a1bc won't
/^abc/ = find the text abc at the start... abc, abcdef, abc_antything all match, 123abc won't
/abc$/ = find the text abc at the end ... abc, 123acb both match, abcdef won't match
/^abc$/ = find excatly abc for the string... abc is the only thing that will match
Technically, ^ represents beginning of string, $ represents end of string, unless you pass it the m modifier, then they match the begin/end of each line in the string: /^abc$/m would mach as long as the string was only "abc" or it had "abc" somewhere on its own line.
-Greg
/abc/ = find the text abc anywhere in it.... abc, abcd, 123abc, 123abcdef all match, a1bc won't
/^abc/ = find the text abc at the start... abc, abcdef, abc_antything all match, 123abc won't
/abc$/ = find the text abc at the end ... abc, 123acb both match, abcdef won't match
/^abc$/ = find excatly abc for the string... abc is the only thing that will match
Technically, ^ represents beginning of string, $ represents end of string, unless you pass it the m modifier, then they match the begin/end of each line in the string: /^abc$/m would mach as long as the string was only "abc" or it had "abc" somewhere on its own line.
-Greg
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: eregi
You are also missing the two most important ways to match -- character sets. Especially since the OP asked "What I want to do is check a string for bad characters."
/[A-Za-z0-9]/ = // find alpha-numeric characters
/[^A-Za-z0-9]/ = // find any characters that are NOT alpha-numeric characters
They can also be in the form /^[A-Za-z0-9]*$/ to check the whole string.
/[A-Za-z0-9]/ = // find alpha-numeric characters
/[^A-Za-z0-9]/ = // find any characters that are NOT alpha-numeric characters
They can also be in the form /^[A-Za-z0-9]*$/ to check the whole string.
(#10850)