0

I cannot get pregmatch to accept single(') or double (") quotes. I am attempting this in php the pattern is located in a "textarea."

I would like to allow both quote types but neither are being accepted. Therefore halting input into the database.

The pattern I have is

pattern="[a-zA-Z0-9.,()'!?:"\s]"

The preg match I have is

!preg_match("/^[a-zA-Z0-9.,()'!?:"\s]*$/", $description)

I have searched and tried everything.

When I try this

"/^['\a-zA-Z0-9.,()!?:\s]*$/"

it returns Lisa\'s instead of Lisa's

kh67
  • 81
  • 7
  • 1
    Escape the quotes – anubhava Feb 18 '19 at 19:20
  • 6
    This is the **wrong** way to prevent SQL injection. Use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde Feb 18 '19 at 19:20
  • 2
    @anubhava That is **bad** advice. To truly be safe from SQL injections you need to use prepared statements. – John Conde Feb 18 '19 at 19:21
  • I am also using prepared statements. – kh67 Feb 18 '19 at 19:26
  • @kh67 If you are single quotes will not break your queries and halt execution of your code. – John Conde Feb 18 '19 at 19:29
  • So you escape the quote in the regex and it now works or there are additional issues? – user3783243 Feb 18 '19 at 19:29
  • Your regex `"/^[a-zA-Z0-9.,()'!?:\"\s]*$/"` should match strings with single and double quotation marks. Are you sure those are not curly quotes? – Wiktor Stribiżew Feb 18 '19 at 19:39
  • "Therefore halting input into the database." How else would a single quote do this? – John Conde Feb 18 '19 at 19:39
  • My interpretation of the question would be that these are characters the OP allows in the DB. Any other character should stop input. – user3783243 Feb 18 '19 at 19:43
  • They say they want to accept them so that can't be true – John Conde Feb 18 '19 at 19:59
  • @WiktorStribiżew I was pretty sure. so I tested it. in web form appears straight and in wordperfect it is indeed curly. Confusing. Any suggestion how to allow either? Assuming users not know the difference either. – kh67 Feb 18 '19 at 20:58
  • @JohnConde Are you saying that with binding parameters that preg match is not needed? I thought both were needed for optimal security. – kh67 Feb 18 '19 at 20:59
  • To allow any "regular" curly quotes you may try to add them, `"/^[a-zA-Z0-9.,()'!?:\"\s’‘“”]*$/"` – Wiktor Stribiżew Feb 18 '19 at 21:01
  • @kh67 Yes, that is what I am saying. If you use prepared statements you don't have to worry about quotes. Removing them is incorrect and a common myth. – John Conde Feb 18 '19 at 21:09
  • @JohnConde beside the quotes is there anything else to worry about by not having a pattern or preg match? What I am asking is if I remove the pattern and preg match and leave binding parameters (of course) is there anything I need to avoid? – kh67 Feb 18 '19 at 21:12
  • @WiktorStribiżew I know this is probably stupid... but how do I do that? It only shows one selection on keyboard. – kh67 Feb 18 '19 at 21:14
  • @kh67 That all depends on what a valid value is for you. IF you don't want HTML in your values you need to remove that, etc. – John Conde Feb 18 '19 at 21:48

2 Answers2

0

Filter the input, then run your check to make sure you're not storing a malicious bit of HTML or Javascript, or a tag breaker. Then once you get to binding your parameters with PDO for insertion indicate it as a PARAM_STR.

$description = filter_input(INPUT_POST,'description',FILTER_SANITIZE_STRING);

    if(preg_match("~^[a-zA-Z0-9.,()\"'!?:\s]*$~", $description)){
       //Call functions to prepare statements and insert into db here.
       //...
       $stmt->bindValue(':description', $description, PDO::PARAM_STR);
    }
AbsoluteƵERØ
  • 7,816
  • 2
  • 24
  • 35
0

Since your preg match now allows single quote lets leave it and get the slashes removed before inserting into the database.

Try this:

!preg_match("/^['\a-zA-Z0-9.,()!?:\s]*$/", $description))

And then before you bind your parameters in your prepared statement add this line of code:

  $description = stripslashes(htmlentities($description));

@John Conde was correct. Make sure you always use prepared statements and bind your parameters.

Hope this is helpful

kristina
  • 182
  • 9
  • When I used this it now allows all the other characters I do not want. Mainly I do not want spam website links in the database like `http://` for instance. the link is removed but the web address still shows – kh67 Feb 19 '19 at 18:50