/ security

Input Validation using Regular Expressions

Injection Vulnerabilities

For example SQL Injection

Sample code

SELECT * FROM users WHERE id='$id'

$id is fetched from the user input.

if user input is below,

';DELETE FROM users --

Sample code to create an SQL statement to select

SELECT * FROM users WHERE id='';DELETE FROM users --'

Check input values using regular expressions

Only alphanumeric and length 1-5

  • u : UTF-8 encoding
  • i : case-insensitive mode
  • \A \z : \A only ever matches at the start of the string. Likewise, \Z only ever matches at the end of the string.

^ and $

Using ^ and $ as Start of Line and End of Line Anchors.
$ still matches at the end of the string, and also before every line break.

ref: Regex Tutorial - Turning Modes On and Off for Only Part of The Regular Expression

Except control characters


Except control characters other than tab, carriage return and line feed