PHP Regex for Username?

Question

Hello I'm trying to parse string chars to prevent sql injection and other hacks. I don't want to use mysql_real_escape_string or other filters. I want to just use a regex and have characters A-Z 0-9 !@#$-_

I mean I could use a regex such as:

$newStr = preg_replace('/[^a-z0-9]/i', '_', $str);

but I just want to be safe and I'm not very good at regex. Thanks again guys, you really are awesome.

*Why* don't you want to apply proper escaping? It's probably a bad reason, and your users are gonna suffer for it. — , Mar 22 '13 at 22:13
well I'm using mysqli and don't want to use mysql. I'd have to make another database connection. — user1594121, Mar 22 '13 at 22:16
Please read the manual: http://php.net/manual/en/mysqli.real-escape-string.php — Volkan, Mar 22 '13 at 22:18
@lhsan I have read the manual but I don't want to make a new database connection. :/ — user1594121, Mar 22 '13 at 22:21

Paul Calabro · Accepted Answer · 2013-03-22T22:34:18.060

0

This:

$newStr = preg_replace('/[^a-z0-9]/i', '_', $str);

should be:

$newStr = preg_replace('/[^a-zA-Z0-9!@#$-]/', '_', $str);

The code below should strip out:

'"/\;?"

<?php
        $newStr = preg_replace('/[^a-zA-Z0-9!@#$-]/', '_', "test\'\"\/\\\;\?");
        echo $newStr;
?>

Which produces:

test__________%

edited Mar 22 '13 at 22:34

answered Mar 22 '13 at 22:16

Paul Calabro

1,748
1
16
33

or even better A-Z a-z 0-9 and the chars _ and - and ! and # and $ ? lmao – user1594121 Mar 22 '13 at 22:31
@user1594121 textbox max length can always be changed, don't rely on that for limits. – Jon Mar 22 '13 at 22:32
Good point! Fixed the code! Thx – Paul Calabro Mar 22 '13 at 22:37

PHP Regex for Username?

1 Answers1