Character restriction in $_POST

Question

I have this code and would like to restrict the characters to [a-f][A-F][0-9]

$code = mysql_real_escape_string($_POST['dgt']);
$len = strlen($code);
if (!($len == "32" or $len == "40")) {
   print "This is not a valid code.";
} else {
   echo 'success';
}

right now it has a character LENGTH limit and would like to add characters restriction as stated above.

what's the best possible way to achieve this?

score 3 · Answer 1 · edited May 23 '17 at 11:56

3

One could even accomplish the character and length assertion in a single regex:

if (preg_match('/^([[:xdigit:]]{8}){4,5}$/i')) {
    // valid
}

That will match 4*8 (=32) or 5*8 (=40) hexdigits.

Btw, you're supposed to apply mysql_real_escape_string last, or right before interpolating it into SQL strings. It makes little difference here, in particular as the values are asserted already. But modifying strings after SQL-escaping them might in some circumstances undo the escaping. You might wish to read up on parameterized queries anyway. That would have made that note redundant.

edited May 23 '17 at 11:56

Community

1
1

answered Dec 29 '13 at 05:53

mario

144,265
20
237
291

1

No, not the shown part. I'm just saying it's not necessary anymore to manually take care about such things. – mario Dec 29 '13 at 06:14

Shankar Narayana Damodaran · Accepted Answer · 2013-12-29T05:45:21.657

2

Why don't you make use of a simple regex ?

    if(preg_match('/[^a-f_\-0-9]/i', $code)) //if this regex doesn't work , make use of /[^a-fA-F0-9]/
    {
      if(strlen($code)==32 || strlen($code)==40)
      {
      echo "This is not a valid code.";
      }
    }
    else
    {
    echo 'Success.';
    }

edited Dec 29 '13 at 05:45

answered Dec 29 '13 at 05:36

Shankar Narayana Damodaran

68,075
43
96
126

wouldn't that allow characters more than 40 to be entered? also, would this allow A-F chars? – user3125898 Dec 29 '13 at 05:39
1

thank you, one more question though, why did you discard this line: $len = strlen($code); – user3125898 Dec 29 '13 at 05:48
1

He have not discarded that line. He has given code after that line – chanchal118 Dec 29 '13 at 05:51
@user3125898, `mysql_*` functions are deprecated. You need to make use of `MySQLi` or `PDO`. – Shankar Narayana Damodaran Dec 29 '13 at 05:55
one more questions Shankar, does the code you provided allow A-Z chars? thanks for the help – user3125898 Dec 29 '13 at 06:22
Nope , just G-Z , you can customize as per you needs. – Shankar Narayana Damodaran Dec 29 '13 at 06:57

chanchal118 · Answer 3 · 2013-12-29T05:51:58.670

0

  $code = mysql_real_escape_string($_POST['dgt']);
  $len = strlen($code);  

  if (!($len == "32" or $len == "40") or preg_match('/[^a-fA-F0-9]+/i', $code)){
      print "This is not a valid code.";
  } else {
      echo 'success';
  }

edited Dec 29 '13 at 05:51

answered Dec 29 '13 at 05:37

chanchal118

3,551
2
26
52

The original poster only wants to restrict to these characters `[a-f][A-F][0-9]` – Giacomo1968 Dec 29 '13 at 05:38

Character restriction in $_POST

3 Answers3