How can I restrict some special characters only in PHP?

Question

I am using preg_match for restrict the special characters in form post. Now I need to restrict some special characters only like %,$,#,* and I need to post like bé. How to possible to restrict some special characters only.

My code:

<?php
$firstname='';
if(isset($_POST['submit']))
{
    $firstname=$_POST['firstname'];
    if(preg_match("/[^a-zA-Z0-9]+/", $firstname))
    {
    echo 'Invalid Name';
    }
    else
    {
    echo $firstname;
    }

}
?>

<html>
<body>
<form method="post">
<input type="text" name="firstname"/>
<input type="submit" name="submit" value="Submit"/>
</form>
</body>
</html>

Maybe this will help you. http://stackoverflow.com/a/14114419/466082 — Arturs, Aug 13 '14 at 08:33
I suggest allowing `-` as a character in firstnames.... haven't you every heard of `Jean-Claude Van Damme`? Though I can't think of any first names that contain numbers off the top of my head — Mark Baker, Aug 13 '14 at 08:38

georg · Answer 1 · 2014-08-13T08:40:06.937

3

Blacklisting (=enumerating invalid characters) is not an option in the unicode world. Consider for example, a "name" like this:

Ж☝ⓚƒ

You don't really want to blacklist all of these.

A whitelisting approach is, on the contrary, quite simple using the u mode and unicode properties:

var_dump(preg_match('/^[\p{L}\p{N}]+$/u', 'ßäßå'));  // 1
var_dump(preg_match('/^[\p{L}\p{N}]+$/u', 'r2d2'));  // 1
var_dump(preg_match('/^[\p{L}\p{N}]+$/u', 'w#t?'));  // 0
var_dump(preg_match('/^[\p{L}\p{N}]+$/u', 'Ж☝ⓚƒ'));  // 0

And since we're talking about validating real names, please read Falsehoods Programmers Believe About Names before you start complicating things.

edited Aug 13 '14 at 08:40

answered Aug 13 '14 at 08:32

georg

195,833
46
263
351

You could add some punctuations like `'` or `-` for `O'Connors` or `Jean-François` – Toto Aug 13 '14 at 09:10
@M42: the linked article is quite helpful and entertaining - read it! – georg Aug 13 '14 at 09:14
Sure, I've already read it, I just said it may have punctuation in name. – Toto Aug 13 '14 at 09:18
@M42: I understand. The thing is, if we start adding punctation, we should do this correctly (to disallow things like `O'O'Connor`) and then our assumptions about the structure will turn out wrong (they will do), and this is a never-ending story. There's no algorithm to validate every possible human name. – georg Aug 13 '14 at 09:23

score 2 · Accepted Answer · edited Jun 21 '20 at 18:05

2

You should use:

([%\$#\*]+)

to match those characters.

So in preg_match you should use:

if(preg_match("/([%\$#\*]+)/", $firstname))
{
   echo 'Invalid Name';
}
else
{
   echo $firstname;
}

edited Jun 21 '20 at 18:05

β.εηοιτ.βε

16,236
11
41
53

answered Aug 13 '14 at 08:32

Marcin Nabiałek

98,126
37
219
261

So, `(^_^;)` is a valid name? – georg Aug 13 '14 at 09:12
@georg Of course not, but OP wanted only restrict selected characters – Marcin Nabiałek Aug 13 '14 at 09:19
1

Look, your code is quite different from what the OP has, because he (correctly) whitelists, and you blacklist. Blacklisting never works. – georg Aug 13 '14 at 09:24

How can I restrict some special characters only in PHP?

2 Answers2