Form Validation/Regex/SQL Injection Question

[JD.]

I'm a little confused on a couple things with form validation which I was hoping someone could shed a little light on things for me.

 

First off, I've used Javascript form validation before, but recently found out that this can easily be bypassed just by turning it off in the browser which obviously makes my site/database very vulnerable!! Now I never fully understood JS regex and the PHP regex either and the PHP version looks similar but I've noticed slight different things, and this has been causing me grief for the past couple days. Just when I think I understand it, I alter something slightly and it stops working or brings back an error etc. So this is what I've been messing around with and got so far, they've got the form on the first page with fields:

 

username, firstname, lastname, password, confirmpassword, email, confirmemail

 

JavaScript side of things, I've somehow managed to fiddle with bits of it and miraculously got it to work how I wanted it... however, PHP...  I'm not even sure I'm using the right functions. I read that ereg/eregi is soon to be deprecated and that preg_match should be used instead?

 

Anyway here is what I've got so far with the PHP (created the variables from the $_POST['username']; etc)

 

if (strlen($username) < 2) {
$error = "Your Username must be between 2-32 characters.";

} else if (!preg_match('/^[a-zA-Z0-9_-]*$/', $username)) {
$error = "Usernames can only contain letters, numbers, hyphens and underscores.";	

} else if (!preg_match('/^[a-zA-Z0-9-]*$/', $firstname)) {
$error = "First Names can only contain letters and hyphens.";

} else if (!preg_match('/^[a-zA-Z0-9-]*$/', $lastname)) {
$error = "Last Names can only contain letters and hyphens.";	

} else if ($username == $password) {
$error = "Passwords must be different from your Username.";

} else if (!preg_match('/^[a-zA-Z0-9]*$/', $password)) {
$error = "Passwords can only contain letters and numbers.";	

}

Username works fine, however I would like it to accept special characters such as á, ü things like that, but I'm not sure how to go about it, would it be put in (á|ü|í) etc or is there a certain value I can give it that is similar to the a-zA-Z0-9 etc cause listing every single character in the brackets seems a bit excessive!? (I'd need to add this to the JS validation too thinking about it, more pain for me to go through ... )

 

First and Last names don't seem to work 100% either, it doesn't seem to recognize that hypens are allowed, I've tried placing the hyphen at the start of the a-z instead of the end, tried adding a \ before hand, but no luck

 

I've tried numerous ways to check if the password contains at least 1 letter and 1 number too, but nothing! It's the same with checking if the email is valid. I've looked on so many sites and it's hard to find an understandable explanation of how it actually works. The only one which has seemed to help me so far was: http://articles.sitepoint.com/article/regular-expressions-php/2

 

Where it had: (I altered the variable at the end to match mine thats all I changed)

 

if (eregi('^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$', $email)) { echo 'Valid'; } else { echo 'Invalid'; }

But it uses ereg, not preg_match and as soon as I change it, it doesn't want to work - so it obviously needs slight changes, and I don't want to keep ereg if it's soon going to be unusable. But I tried adding / at the start as well as the * or + before the $ like the others but it still doesn't wanna play ball.

 

---

 

The next thing is, I've read up on a little "security" side of things and see that SQL Injection is a pretty serious thing! Now, if I can get all my form validation to work is it necessary to really use it?? Things such as mysql_real_escape_string(); Cause technically they should of only been able to put in what I'm allowing them too, or is there still a way they can get past it all? I don't particularly like the sound of my database being up for attack, so I guess putting it in just for the safe side of things. The same goes for htmlentities() is it necessary to use things such as:

 

htmlentities($username, ENT_QUOTES);

Before everything goes into the database? Also what about using stripslashes(); - cause doesn't mysql_real_escape_string(); do that as well as the rest of it, or am I completely getting this all wrong?

 

I really have tried checking round before posting for help but it genuinely has got me to yet another stand still with the progression of my site... again, so I would really appreciate any help

 

[JD.]

After spending all day, searching, reading, altering and guessing!

 

I've managed to get the username to accept special characters, and I also read that allowing single quotations is also a good idea for a username because if they wanted their username to be O'Reily for example then they wouldn't be able to! Of course, now this would make sense to use the htmlentities(); with ENT_QUOTE before entering into a database just incase. If anyone is interested in knowing what I did to get it to work, here is what I used.

 

if (!preg_match('/^[-_a-zA-Z0-9\'ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝÞ\\\\ßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýþÿ]*$/', $username)) {
$error = "Usernames can only contain letters, numbers, single quotations, hyphens and underscores.";

	if (preg_match('/[\s]/', $username)) {
		$error = "Usernames can only contain letters, numbers, single quotations, hyphens and underscores, no spaces.";
	}

} else {
// whatever
}

 

The reason I did a separate check for spaces was because I don't want usernames to contain any spaces and I don't think I could put it into a !preg_match since it's the opposite...

 

I'm still having trouble with the JS side of it, but this after all is a PHP forum so I'll find out the solution to that else where. And my understanding of regex has actually improved, so I'm hoping I can figure out the rest of the PHP side of it now