eregi

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

eregi

Post by spacebiscuit »

Hi,

I recently changed the version of PHP running on my server from version 5.2 to 5.3.

Now when I run one of my scripts its says a function has been depreciated: eregi

Looking at my script I am wondering if it was ever correct. What I want to do is check a string for bad characters. The bad characters are stored in an array so it's the needle in a haystack scenario.

Any suggestions, my initial thought were to use preg_match but I don't think I can call this function with an array can I?

Thanks in advance!
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: eregi

Post by Christopher »

Not sure what you mean by "I don't think I can call this function with an array can I?" There is a preg equivalent for every one of the old ereg functions.

Code: Select all

eregi('foo', 'This is foo.', $matches);
preg_match('/foo/i', 'This is foo.', $matches);
See the PHP manual.
(#10850)
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: eregi

Post by requinix »

For what it's worth, you should probably be making sure the string is entirely valid characters, not that it doesn't contain any invalid characters. Whitelist versus blacklist. The difference is subtle. Are you sure you've included every possible character that is invalid? Are 0x7F-0xFF valid? If not did you include them in your array? How about 0x00-0x1F? Also, keeping the characters in a string makes them easier to deal with: both preg_match() and most every other string function will want a string of characters and not an array of them.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: eregi

Post by twinedev »

requinix wrote:Whitelist versus blacklist. The difference is subtle. Are you sure you've included every possible character that is invalid?
Very good advice!

Code: Select all

if (!preg_match('/[a-z0-9_-]+/i',$strValue)) {
   echo "there was an invalid character, Must contain only letters, numbers, hyphens and underscores";
}
If you are just getting used to regular expressions, I HIGHLY suggest RegexBuddy, it is awesome in that you can see spelled out what the expression is doing while you built it, you can test it right there on sample date, and you can have it generate the code for you. Plus it does have some built in ones. Plus you have a drop down to select the engine type, inlcuding preg/ereg/javascript's/mysql's. I used to only use regex when I needed to, and usually anything besides basic had to go look up. Trust me, time saver when learning! Some of my old code that would scrape date was ugly using strpos() to find beigning, and strpos() to find the end, and then substr() to grab in the middle.... So much easier with regex.
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Re: eregi

Post by spacebiscuit »

Thank you for the replies. Maybe I should be a little more detailed about what I am trying to do.

I am checking a string submitted via form for some 'bad' words which I have stored in an array. For example:

Code: Select all

$bad_strings = array("content-type:", "mime-version:", "multipart/mixed");
As you can see I am checking for malicious code injection. I have come up with this so far:

Code: Select all

foreach($bad_strings as $string){

     if(preg_match('!.(/$string_to_test).!', $string)){	  
          echo "<p>Bad string found!</p>";
          exit;	 
     }

}
I think I need to use the escape charater before my variable '$string' but this isn't working because I can't find any matches when I test.

Any thoughts.

Thanks!
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Re: eregi

Post by spacebiscuit »

Ok I have made some prgress, I have this coded now:

Code: Select all

$bad_strings = array("abc", "def", "ghi");

foreach($bad_strings as $string){

     if(preg_match("!$string!", $str_to_test)){	  
          echo "<p>Bad string found!</p>";
           exit;	 
     }

}
If I throw it '1abc2' a match is found which is how I want it to work but I don't understand why the match is found because I thought I would have had to specify numberic characters such as:

Code: Select all

preg_match("![0-9]*$string[0-9]*!", $str_to_test);
I'm a little confused....
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: eregi

Post by twinedev »

The way you are doing it, it is matching because one of the $bad_strings was found, "abc". preg_match, unless told to matching beginning and/or end of strings will look for it anywhere in what it is checking. Here are some examples (not I used the standard / instead of ! just out of typing habits)

/abc/ = find the text abc anywhere in it.... abc, abcd, 123abc, 123abcdef all match, a1bc won't

/^abc/ = find the text abc at the start... abc, abcdef, abc_antything all match, 123abc won't

/abc$/ = find the text abc at the end ... abc, 123acb both match, abcdef won't match

/^abc$/ = find excatly abc for the string... abc is the only thing that will match

Technically, ^ represents beginning of string, $ represents end of string, unless you pass it the m modifier, then they match the begin/end of each line in the string: /^abc$/m would mach as long as the string was only "abc" or it had "abc" somewhere on its own line.

-Greg
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: eregi

Post by Christopher »

You are also missing the two most important ways to match -- character sets. Especially since the OP asked "What I want to do is check a string for bad characters."

/[A-Za-z0-9]/ = // find alpha-numeric characters

/[^A-Za-z0-9]/ = // find any characters that are NOT alpha-numeric characters

They can also be in the form /^[A-Za-z0-9]*$/ to check the whole string.
(#10850)
Post Reply