Checking for multiple characters in a string 1

[ChrisRChamberlain]

Hi all

Following thread434-1352591, the $searchstring variable, derived from $searchstring =$_POST['searchstring']; needs to be checked for the existence of either square bracket and an appropriate error message printed.

The following code checks for the existence of the left bracket as opposed to both, (needs an 'OR' or equivalent?), and does not have an 'else' which could be used for an error message.

<?php

	//connect to the database
    $connectionstring = odbc_connect("vfptable", "", "");

    //	searchstring passed from form
	$searchstring = $_POST['searchstring'];

	$lbracket = "[";
	$rbracket = "]";
	if(stristr($searchstring,$lbracket)===FALSE){

		$searchstring = strtolower($searchstring);
		$searchstring = "[" . $searchstring . "]";
		//	Get number of records
	    $countQuery = "SELECT COUNT(*) FROM pagedata ".
	    	"where $searchstring $ innertext";
		$result = odbc_exec($connectionstring, $countQuery);

		odbc_fetch_row($result,0);
		$numRecords = odbc_result($result, 1);

	    //	Execute search query
		$Query = "SELECT * FROM pagedata ".
	   	"where $searchstring $ innertext";
	    $queryexe = odbc_do($connectionstring, $Query);


	    //	Query database
		print ("<div id='feature'>");
		print ("Total instances found is ".$numRecords);
		print ("<br>");
		print ("<br>");

		$instances=0;
	    while(odbc_fetch_row($queryexe))
	    {
	    $filename = odbc_result($queryexe, 1);
	    $title = odbc_result($queryexe, 2);
		$dispstring = odbc_result($queryexe, 4);

		print ("$instances"+1);
		print (".");
	  	print ("&nbsp;");
	  	print ("<a href='$filename'>$title</a>");
	  	print ("<br>");
		print ("$dispstring");
	  	print ("<br>");
	  	print ("<br>");
	  	$instances=$instances+1;
	 	}
		print ("</div>");
	}

    //disconnect from database
    odbc_close($connectionstring);

	?>

At the moment it appears that only the inclusion of the brackets causes an error message.

TIA

FAQ184-2483 - answering getting answered.​

Chris
PDFcommander.com
motrac.co.uk

 

[jpadie]

how about something simple like

if (strpos($searchstring, '[') === false && strpos($searchstring, ']')===false ){
  //string is clean
}else{
  //string is not clean
}

 

[ChrisRChamberlain]

jpadie

Thanks - excellent!

'&&' in VFP is a comment just to confuse the issue.

Note to self, stop translating and learn to think in the language.

FAQ184-2483 - answering getting answered.​

Chris
PDFcommander.com
motrac.co.uk

 

[feherke]

Hi

If you will find more unsafe characters, do not add more expressions to that [tt]if[/tt] condition. Just use one regular expression.

if (preg_match("/[\[\]]/",$searchstring)===false ) {
  // string is not clean
} else {
  // string is clean
}

If you are not familiar to regular expressions, note that the brackets ( [] ) delimit a class. So they have to be escaped when are included into a class. But other characters you will add will not require escaping.

Feherke.

http://rootshell.be/~feherke/

 

[jpadie]

whilst a regex is one approach, the php manual is clear that regular expressions should be avoided where possible.

with large numbers of "unsafe" characters you could use str_replace to sanitise (str_replace can take arrays as an argument).

you might also find it quicker to run a strpos iteratively across an array of chars.

 

[ChrisRChamberlain]

Interesting comments about regex.

For this application the only problematical characters so far are the brackets.

If a user needed to find a page containing text within brackets, they simply enter the text within the brackets and get the result that way.

Perfect - no, pragmatic - yes.

FAQ184-2483 - answering getting answered.​

Chris
PDFcommander.com
motrac.co.uk

 

[feherke]

Hi

the php manual is clear that regular expressions should be avoided where possible

I agree that regular expressions can be slow and can look obscure. ( These are the usual reasons against regular expressions. Sorry, I can not find the part of the manual you are referring too. )

But in our case I think it is fast and clean. At least my measurements say so.

Feherke.

http://rootshell.be/~feherke/