Hello
I have information comming from a form to the process below. the process validates user input
using preg_match found in a function (valid.php) before inserting into a mysql database.
This is my first attempt to use preg_match to validate user input and may have coded it incorrectly.
The database inserting works.
The problem is when a illegal character like @ 0r # is placed in the form preg_match is not catching the illegal characters and triggering the warning message.

Process

<?php 
include("../valid.php);// 
 /*** arrays passed from the form with selected service variables ***/ 
 $code1_id = $_POST['fee1_choice']; //array of code_id primary key
 $fee1_unit = $_POST['fee1_unit'];//array with the number of units
 $fee1_money = $_POST['fee1_money'];//array selected fee
 
 //filter array index
 $fee_unit = array_filter($fee_unit);
 $fee_money = array_filter($fee_money);
 
 
 $indices1 = array_keys($code_id);
 foreach($indices1 as $index1)
   {
       //individual value validation from 3 arrays
       $code_id[$index1]; 
       $fee_unit[$index1]; 
       $fee_money[$index1];
 
 
 //validate unit
 $field_name = $fee_unit[$index1];//assign field to array for function
 check_unit_field($field_name);//funtion to validate user entered numbers or message sent

 //validates money
 $field_name = $fee_money[$index1];//assign field to array for function
 check_money_field($field_name);//function validate the user entered characters are number or message sent
 required_field($field_name);//function check required field is not empty
 
 //insert query goes here
   
  }
?>

Validation Function

<?php
valid.php
//function to validate units
function check_unit_field($field_name)
  {
    if(empty($field_name) || $field_name == 0 || preg_match("/^[0-9\. ]+$/", strip_tags(trim($field_name))))
       {
        
   return TRUE;
       }
       else
        {
  illegal_num_character_message();//dislpay illegal character entered message 
    return FALSE;
  exit();
   }
  }
  
  //function to validate money
  function check_money_field($field_money)
  {
  
     if(empty($field_money) || $field_money == 0 || preg_match("/^[0-9\. ]+$/", strip_tags(trim($field_money))))
   {
     
     return TRUE;
   }
   else
          {
        illegal_num_character_message();//dislpay illegal character entered message 
     
    return FALSE;
    exit();
   }
  }
 ?>

Thanks.

I removed the $field_name == 0 and it worked

Hi,

However, heres one that also make sure you dont match a string such as "4." or "." but matches "0.4" or ".4" for example:

// validate as an int or float
function is_number($str) {
	if (preg_match("/^[0-9]*\.?[0-9]+$/", $str) && !empty($str)) {
		return true;
	}
	return false;
}

Thanks.

I removed the $field_name == 0 and it worked

Its probably better if you used floatval() and intval() to validated integers and floats instead of regex as it is faster and less server intensive.

Eg, if you want to check is a string "equates" to a float:

if($float = floatval($str)) {
// ok
} else {
// not ok
}

Notice the single = . This allows you to assign the float value, as well as validate it at the same time.

Thanks for the suggestion.

I will give it a try.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.