Is preg_match safe for use in input satin?

Question

Is preg_match safe for use in input satin?

I am creating a new web application, the LAMP environment ... im wonders if preg_match can be trusted to verify input (+ prepared stmt, of course) for all text fields (aka not html fields; phone, name, surname, etc. .).

For example, for the classic "email field", if I check the input as:

$email_pattern = "/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)" .
    "|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}" .
    "|[0-9]{1,3})(\]?)$/";

$email = $_POST['email'];
if(preg_match($email_pattern, $email)){
    //go on, prepare stmt, execute, etc...
}else{
    //email not valid! do nothing except warn the user
}

Is it easy to sleep against sql / xxs injection?

I write regexp as more restrictive than they can.

EDIT : as already mentioned, I already use prepared statements , and this behavior is only for text fields (such as phone, emails, name, etc.), so nothing that is allowed to contain HTML (for html fields I am using htmlpurifier).

, , , -white-list; else, .

p.s:: im - mysql_real_escape_strings; , Postgresql , , -;)

+5

php validation sanitization

Strae 12 . '10 14:38

7

~~SQL- , mysql_real_escape_string. ( ORM) .~~ .

. HTML , , XSS, *.

- "/ , ". , ( ), HTML-, , .

* , < >

+5

instanceof me 12 . '10 14:42

, .

Escaping.

, , . ( script); , , SQL, HTML- , .

, . "" , . "", . , HTML-, HTML .

SQL- HTML- script. " " ( ) . - .

, , , , , HTML-, , . , HTML. HTML- , ( htmlspecialchars() ), , .

, . Regex ; , , , + , .museum .travel IDNA. .

+3

bobince 12 . '10 14:57

.

NOOOO.

NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO.

DO. . . REGEX. . . EVER.

RegEx SQL-

Java - escape- SQL

+2

Matt Ball 12 . '10 14:42

. , SQL-, ( ) , .

+1

John Conde 12 . '10 14:39

php mysql_real_escape_string(), mysql, . ( , .)

+1

Fletcher Moore 12 . '10 14:42

: . , , .

It is best to use the filter functions to get the user input relatively securely and update your php if something breaks is in these functions. When you have the initial input, you have to add some things depending on what you do with this data: remove \ n and \ r for email and http headers, remove html tags for display to users, use parameterized queries to use from the database.

+1

Arkh Apr 12 '10 at 15:02

source share

pinkgothic · Accepted Answer · 2010-04-12T14:45:03+0000

, . SQL, - ' ". HTML XSS, , <, > ".

, , , , , $, ! mysql_real_escape_string() SQL- htmlspecialchars() HTML.

. , , .

, :

== mysql_real_escape_string() , . , , . - , SQL-, . , .

accodomate "- ". , , , , . , , . .

, , - $db- > escape(), MySQL mysql_real_escape_string ( ), PostgreSQL PostgreSQL ( , , , PostgreSQL).

HTML

HTML- - HTML- ( , , , ), , HTML, a purify() , , . , HTML, , htmlspecialchars(). , , .

- - , - ; , .

, , : " " XSS. , , , , . .

Is preg_match safe for use in input satin?

HTML

More articles: