CODEWITHSUNDEEP
phppreg-matchalphanumeric
danielestop
danielestop

Reputation: 61

Alphanumeric pattern php with preg_match

can somebody explain to me why this pattern is recognized as alphanumeric?

\13\13\13\13\13\13\13\13\13234234\3

Please see the image at this link enter link description here

I wrote the code only to show you that it is recognized as alphanumeric

EDIT 15.06.214 21:40

I add some information I'm sorry i forgot.

The variables that you see are taken from an input form. That's the code I used in order to make the information clean and ready to be inserted into the database.

PS: just for your information, the variable $errform is used later on to "trigger" the message of error on the page

    <?php
  $username = $password = $fname = $lname = $mail = $id_dept = "";
  $usernameERR = $passwordERR = $fnameERR = $lnameERR = $id_deptERR = "";
  $errform = 2;
?>
<?php
  if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = clean_data($_POST["username"]);
    $password = clean_data($_POST["password"]);
    $fname = clean_data($_POST["fname"]);
    $lname = clean_data($_POST["lname"]);
    $mail = clean_data($_POST["mail"]);
    $id_dept = clean_data($_POST["id_dept"]);
    if (!preg_match("/^[a-zA-Z0-9]*$/", $username)) {
        $usernameERR = "Only letters and numbers allowed";
      }
    if (!preg_match("/^[a-zA-Z0-9]*$/", $password)) {
        $passwordERR = "Only letters and numbers allowed";
      }
    if (!preg_match("/^[a-zA-Z ]*$/", $fname)) {
        $fnameERR = "Only letters and white space allowed";
      }
    if (!preg_match("/^[a-zA-Z ]*$/", $lname)) {
        $lnameERR = "Only letters and white space allowed";
      }
  }
  function clean_data($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
  }
  if (isset($_POST['submit'])) {
    if ((!preg_match("/^[a-zA-Z0-9]*$/", $username))
    || (!preg_match("/^[a-zA-Z0-9]*$/", $password))
    || (!preg_match("/^[a-zA-Z ]*$/", $fname))
    || (!preg_match("/^[a-zA-Z ]*$/", $lname))) {
      $errform = 1;
    } else {
      $errform = 0;
      $con = mysqli_connect($hostdb,$userdb,$passwdb,$dbTEST);
      if (mysqli_connect_errno()) {
        echo "Impossibile connettersi a MySQL: " . mysqli_connect_error();
      }
      $username = mysqli_real_escape_string($con, $_POST['username']);
      $password = md5(mysqli_real_escape_string($con, $_POST['password']));
      $fname = mysqli_real_escape_string($con, $_POST['fname']);
      $lname = mysqli_real_escape_string($con, $_POST['lname']);
      $mail = mysqli_real_escape_string($con, $_POST['mail']);
      $id_dept = mysqli_real_escape_string($con, $_POST['id_dept']);
      if (!mysqli_query($con, "INSERT INTO user (id_user, username, password, fname, lname, mail, id_dept) VALUES (NULL, '$username', '$password', '$fname', '$lname', '$mail', '$id_dept')")) {
        die ("Error: " . mysqli_error($con));
      }
      mysqli_close($con);
    }
  }
?>

EDIT 15/06/2014 22:41

Ok,

sorry everybody I understood the source of the problem.

What I was checking was

(preg_match("/^[a-zA-Z0-9]*$/", $username))

In my code, $username got this treatment

    $username = clean_data($_POST["username"]);
    if (!preg_match("/^[a-zA-Z0-9]*$/", $username)) {
        $usernameERR = "Only letters and numbers allowed";
      }

where

    function clean_data($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
  }

so when i post \q\q\q\q\q\q\q\q\q this is stripped and become qqqqqqqqq

BUT, there are two problems. First problems was that I was echoing this

echo "post username: " . $_POST["username"];

and comparing with this

echo "preg username " . preg_match("/^[a-zA-Z0-9]*$/", $username);

and it's clear that $_POST["username"] is not == to $username because this last one got the treatment of the clead_data function, while the POST not.

So when I was doing the preg_match, I was doing on $username = qqqqqqqqqqq (which is alphanumeric) while what i showed you was $_POST['username'] = \q\q\q\q\q\q\q\q\q\q\q

The second problem was that i was sending to the database this

$username = mysqli_real_escape_string($con, $_POST['username']);

while I should have sent this

$username = mysqli_real_escape_string($con, $username);

So on the database was arriving the NON CLEANED data.

Upvotes: 0

Views: 2103

Answers (2)

Casimir et Hippolyte
Casimir et Hippolyte

Reputation: 89547

I think that your backslashes are ignored because they are not seen as literal backslashes but like backslashes that escape the following character. Since the escaped characters have no special meaning for a php string, backslahes are simply ignored. To obtain the expected behaviour, you can use addslashes before performing the tests.

Upvotes: 0

user3742615
user3742615

Reputation: 11

Beacause You allowed that if it contain A-Z or a-z or 0-9 characters and this string contain 13... and this is character that is allowed in RegExp.(/^[a-zA-Z0-9]+&/)

You can resolve it by following pattern:

username:

/^[a-zA-Z]+[0-9_]*?[a-zA-Z]*?&/

name:

/^[a-zA-Z]+[ ]*?[a-zA-Z]&/

Upvotes: 1

Related Questions