Page 1 of 1

eregi

Posted: Fri Nov 30, 2012 8:02 pm
by spacebiscuit
Hi,

I recently changed the version of PHP running on my server from version 5.2 to 5.3.

Now when I run one of my scripts its says a function has been depreciated: eregi

Looking at my script I am wondering if it was ever correct. What I want to do is check a string for bad characters. The bad characters are stored in an array so it's the needle in a haystack scenario.

Any suggestions, my initial thought were to use preg_match but I don't think I can call this function with an array can I?

Thanks in advance!

Re: eregi

Posted: Fri Nov 30, 2012 10:06 pm
by Christopher
Not sure what you mean by "I don't think I can call this function with an array can I?" There is a preg equivalent for every one of the old ereg functions.

Code: Select all

eregi('foo', 'This is foo.', $matches);
preg_match('/foo/i', 'This is foo.', $matches);
See the PHP manual.

Re: eregi

Posted: Fri Nov 30, 2012 10:53 pm
by requinix
For what it's worth, you should probably be making sure the string is entirely valid characters, not that it doesn't contain any invalid characters. Whitelist versus blacklist. The difference is subtle. Are you sure you've included every possible character that is invalid? Are 0x7F-0xFF valid? If not did you include them in your array? How about 0x00-0x1F? Also, keeping the characters in a string makes them easier to deal with: both preg_match() and most every other string function will want a string of characters and not an array of them.

Re: eregi

Posted: Sat Dec 01, 2012 2:39 am
by twinedev
requinix wrote:Whitelist versus blacklist. The difference is subtle. Are you sure you've included every possible character that is invalid?
Very good advice!

Code: Select all

if (!preg_match('/[a-z0-9_-]+/i',$strValue)) {
   echo "there was an invalid character, Must contain only letters, numbers, hyphens and underscores";
}
If you are just getting used to regular expressions, I HIGHLY suggest RegexBuddy, it is awesome in that you can see spelled out what the expression is doing while you built it, you can test it right there on sample date, and you can have it generate the code for you. Plus it does have some built in ones. Plus you have a drop down to select the engine type, inlcuding preg/ereg/javascript's/mysql's. I used to only use regex when I needed to, and usually anything besides basic had to go look up. Trust me, time saver when learning! Some of my old code that would scrape date was ugly using strpos() to find beigning, and strpos() to find the end, and then substr() to grab in the middle.... So much easier with regex.

Re: eregi

Posted: Mon Dec 03, 2012 6:44 am
by spacebiscuit
Thank you for the replies. Maybe I should be a little more detailed about what I am trying to do.

I am checking a string submitted via form for some 'bad' words which I have stored in an array. For example:

Code: Select all

$bad_strings = array("content-type:", "mime-version:", "multipart/mixed");
As you can see I am checking for malicious code injection. I have come up with this so far:

Code: Select all

foreach($bad_strings as $string){

     if(preg_match('!.(/$string_to_test).!', $string)){	  
          echo "<p>Bad string found!</p>";
          exit;	 
     }

}
I think I need to use the escape charater before my variable '$string' but this isn't working because I can't find any matches when I test.

Any thoughts.

Thanks!

Re: eregi

Posted: Mon Dec 03, 2012 7:58 am
by spacebiscuit
Ok I have made some prgress, I have this coded now:

Code: Select all

$bad_strings = array("abc", "def", "ghi");

foreach($bad_strings as $string){

     if(preg_match("!$string!", $str_to_test)){	  
          echo "<p>Bad string found!</p>";
           exit;	 
     }

}
If I throw it '1abc2' a match is found which is how I want it to work but I don't understand why the match is found because I thought I would have had to specify numberic characters such as:

Code: Select all

preg_match("![0-9]*$string[0-9]*!", $str_to_test);
I'm a little confused....

Re: eregi

Posted: Mon Dec 03, 2012 10:14 am
by twinedev
The way you are doing it, it is matching because one of the $bad_strings was found, "abc". preg_match, unless told to matching beginning and/or end of strings will look for it anywhere in what it is checking. Here are some examples (not I used the standard / instead of ! just out of typing habits)

/abc/ = find the text abc anywhere in it.... abc, abcd, 123abc, 123abcdef all match, a1bc won't

/^abc/ = find the text abc at the start... abc, abcdef, abc_antything all match, 123abc won't

/abc$/ = find the text abc at the end ... abc, 123acb both match, abcdef won't match

/^abc$/ = find excatly abc for the string... abc is the only thing that will match

Technically, ^ represents beginning of string, $ represents end of string, unless you pass it the m modifier, then they match the begin/end of each line in the string: /^abc$/m would mach as long as the string was only "abc" or it had "abc" somewhere on its own line.

-Greg

Re: eregi

Posted: Mon Dec 03, 2012 11:59 am
by Christopher
You are also missing the two most important ways to match -- character sets. Especially since the OP asked "What I want to do is check a string for bad characters."

/[A-Za-z0-9]/ = // find alpha-numeric characters

/[^A-Za-z0-9]/ = // find any characters that are NOT alpha-numeric characters

They can also be in the form /^[A-Za-z0-9]*$/ to check the whole string.