Hi there,

First, ereg() is deprecated as of PHP 5.3.0 [php.net]. You should probably be using preg_match() [php.net] instead.

Secondly, your regular expression is testing for anything that is not an alphanumeric character, so your code should return an error when the ereg expression is true.

[Edit: removed a paragraph. I should read the post thoroughly first!]

-- b

Ah, thanks for that information. I have replaced ereg() with preg_match() and now use:

if (preg_match('/A-Za-z0-9/',$username))

This works fine when filtering out all symbols apart from lowercase, uppercase letters and numbers 0-9. Is there a way to allow spaces and underscores? I have tried:

if (preg_match('/A-Za-z0-9/',$username)) || (preg_match('/ /',$username)) || preg_match('/_/',$username))

but no luck. This allows other symbols again. :(

Hi there Sp4rkyM4rk,

Check out Rocknbils "Quick lesson in patterns" on preg_match in this thread, I don't fully understand regexp, and I seriously need to set a day aside and learn ;)

Link:[webmasterworld.com ]

Hope that helps you - it explains things for me!

Cheers,
MRb

Hello again,

This pattern:

/A-Za-z0-9/

...tells the regex engine to match the exact string 'A-Za-z0-9'. If you're trying to do a character class, you need the square brackets, and something that tells preg_match() to match more than a single character. E.g.:

// Matches one or more alphanumeric characters:
$pattern = '/[a-z0-9]+/i';

-- b

Thanks again for the help. I have read the topic mentioned and taught me a bit about using preg. Although it seems I was wrong when I said '/A-Za-z0-9/' only allows those characters. A name with just symbols such as '^&^$&' will not be valid, however as long the name contains at least one uppercase/lowercase letter or number, other characters are allowed past the validation rule. This is also the case with '[/A-Za-z0-9/]'. :(

EDIT: I think I may have worked out the solution to the problem, but not 100% certain:

'/^[a-zA-Z0-9\_\&\s]+$/'

\s to represent the space, and a backslash between other characters. I decided to include the ampersand in this example, but I'll take it out in the live script (remove \&).

Whoops, you're right. My sample will do exactly what you say: match alphanumeric characters anywhere in the string.

Your latest regex should work because you've anchored it at both ends (in human language, your current regex says 'match only if the entire string contains only one or more letters, digits, spaces, underscores or ampersands').

By the way, if you were restricting the string only to letters, digits and underscores, you could also just use '/[\w]+/' I believe...

-- b

Right, but some characters in \w, like underscores, are not letters . . . .

however as long the name contains at least one uppercase/lowercase letter or number, other characters are allowed past the validation rule.

Right, what you're going to want here is a not, but you are likely going to have to do it in two steps. First you make sure it's no invalid characters, then make sure it's at least one letter or number. But let's think ahead - about our poor users who often don't understand our cryptic error messages. :-) Rather than pose an error about characters, let's just CLEANSE the input first, fix it for them, then do the single error check to make sure it's got at least one letter and number.

$username = preg_replace('/[^a-z\d]/i','',$_POST['uname']);

Pregs are about context. When used like this,
'/^blah$/'

^ means "begins with this pattern" and the $ at the end means "ends with this pattern." But when it's the first character within a class [], think of it as meaning "anything not these." So the above means "remove anything that is NOT an upper or lower case character in the range a through z, or a number." The i is a modifier that means make this match case insensitive. \d means any digit, and is the equivalent of 0-9.

So now our string has nothing but letters and numbers.

if ((preg_match('/[a-z]/i',$username) and preg_match('/\d/i',$username))) {
// we're good
}
else {
return_to_form_w_error("<li>User name must contain at least one letter or number.</li>");
}

A working example, except in the interest of TMTOWTDI I used a "not" in the if - if it doesn't match, populate error.

<?php 
header("content-type:text/html"); 
$pwds= Array('ObNoxious','Pret3nti0us','and1MM@ture'); 
$errstring=$ok=null; 
foreach ($pwds as $pwd) { 
 $pwd = preg_replace('/[^a-z\d]/i','',$pwd); 
 if (! (preg_match('/[a-z]/i',$pwd) and preg_match('/\d/',$pwd))) { 
 $errstring .= "<li>The password $pwd is an epic fail.</li>"; 
 } 
 else { $ok .= "<li>$pwd is OK.</li>"; } 
} 
echo "<ul>$errstring $ok </ul>"; 
?> 

$preg_str_check="#[^][ _A-Za-z0-9-]#"; 
if( preg_match( $preg_str_check, $some_input ) { 
die("I'm not feeling helpful, so buzz off"); 
} 

If anything other than the following characters appear, the

preg_match()

will be

TRUE

:
(space)
(underscore)
a-z (case insensitive)
numeric digits
(hyphen)

If you want to allow any other characters, place them IN FRONT OF the (space). Certain characters (eg `?', `/') need to be escaped (put a back-slash: `\' before them) (wonderfully, if you want a back-slash itself, you will need to use four: `\\\\').