Regular Expression Replace for Contact Form

Question

In php I have the following reqular expression:

$regexp = "/^([-a-z0-9.,!@'?_-\s])+$/i";

Im trying to validate my websites contact form (specifically the message field) to ensure no nasty code has been entered. The problem I am having is that certain normal punctuation and characters I need to allow, but I'm worried they could be used to insert malicious code.

For any character not obeying the expression above, I would like to replace it to make it safe. Two questions:

How do I do the replacement?
What should I replace the character with? For example I am not allowing parenthesis ( ). would it be best practice to replace like this "(" ")" or maybe \( \)?

EDIT

The data will be sent to an email address and saved to a database

why are you worried about malicious code in a contact form? where do the messages go? another web site? your email? you may be overdoing this. — Samantha Branham, Feb 07 '13 at 15:54
Escape the data depending on where you use it. If you insert into a database, use PDO or the correct *_escape function. When outputting on a website, use htmlspecialchars and urlencode. escapeshellcmd/escapeshellarg when used in a shell environment. And so on … Please see the question [»What's the best method for sanitizing user input with PHP?«](http://stackoverflow.com/q/129677/112968) — knittl, Feb 07 '13 at 15:55
This all depends on what is being done with the data. If it is being output to browser, inserted into database, run through some command line, all require different means of sanitation. — kittycat, Feb 07 '13 at 15:57

Erenor Paz · Accepted Answer · 2013-02-07T18:07:54.980

1

Mmh why don't you just allow every character to be inserted in the contact form, converting them all with htmlentities as soon as they reach the php script after form submit? That way your users will be able to say what they want, and you won't have any problem with "malicious code" :)

And do not forget to use a proper database wrapper (PDO)
or at least escape when inserting into the database.

– knittl

EDIT: added Knittl's quote to stress it again :)

edited Feb 07 '13 at 18:07

answered Feb 07 '13 at 16:12

Erenor Paz

3,061
4
37
44

1

And don't forget to use a proper database wrapper (PDO) – or at least escape when inserting into the database. – knittl Feb 07 '13 at 16:19
1

Yeah. Didn't say anything on it, since it was well told by you in the comment to the question :) – Erenor Paz Feb 07 '13 at 16:36
2

You cannot stress this enough. – knittl Feb 07 '13 at 17:16

score 0 · Answer 2 · answered Feb 08 '13 at 03:22

Use the filter extension. More specifically, use the filter_input() function with a sanitizing filter. For example:

$message = filter_input(INPUT_POST, 'message', FILTER_SANITIZE_STRING);

This will make sure that tags are stripped out of the message and that it is safer to handle.

However, it does not mean that you should treat it as 100% safe. You still need to take precautions when saving the message to the database (such as using the database driver's escape method, and removing unwanted/unneeded/suspicious stuff from the message), as well as making sure that it is safe to output to the client.

Regular Expression Replace for Contact Form

2 Answers2