Hey John; Hey Carl.
I've heard this debate before; i.e. regular expressions vs. PHP string
formatting functions.
The problem I'm dealing with will require, I believe, a combination of
preg_replace(), str_replace(), strstr(), and str_pos().
To my limited knowledge, there is no way to remove white space with PHP
string functions; when I use strip_tags on a block of html text, whitespace
results; thus the need for preg_replace().
The rest can most likely be taken care of with PHP string functions,
although I'm running into a few headaches with user errors; i.e. when a
coach types up his/her team roster and mistakenly adds extra spaces between
fields (e.g. player height = 6' 2" instead of 6' 2"), or roster fields do
not match up with our roster table fields (e.g. one team roster has a field
for player's favorite professional athlete) -- in these cases it may be that
I'll need to use regular expressions to crawl through roster string data
looking for word boundaries and the like.
I'm new to regular expressions to say the least -- just took the dive in
yesterday; much to learn.......
If either of you feel like elaborating on the pros and cons of regular
expressions vs. PHP string functions, let me know.
--Noah
----- Original Message -----
From: "CPT John W. Holmes" <[EMAIL PROTECTED]>
To: "Carl Furst" <[EMAIL PROTECTED]>; "Noah"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, May 29, 2003 10:18 AM
Subject: Re: [PHP] strip_tags() Quandry....
> Yes, no problem! Glad it worked out. you may wish to actually study the
> perlre man page on perl.com. This goes into the most details and talks
about
> how PERL actually EXTENDS shell regular expressions significantly and
> excellent resource that I have used many many times.
>
> I figure since PHP regexps are perl compatible, might as well go to the
> source, no?
>
> My other suggestion is that if you are taking this HTML and putting into a
> database, especially MySQL you should scrub for pipes, nulls and slashes,
> hackers can exploit user input to open a tty or shell or even access user
> files like /etc/passwd and mess wid ya.... here are a few regexps that do
> that
While I agree that regexp are powerful and useful, the examples you gave are
better suited to using str_replace(), trim(), or nl2br() calls rather than a
regular expression.
Also, about the "warning" for inserting data into a database... try not to
scare people to much. If you have
column = '$value'
or
column = "$value"
in your query, as long as you've run addslashes on $value to escape single
quotes in the first case and double quotes in the second, there's no
vulnerabilities.
If you have
column = $column
then you BETTER make sure that $column is a number and only a number. When
you put unquoted (unquoted within the actual SQL, not PHP) values into your
SQL, that's when you open yourself up to vulnerabilities if you're not
validating that the value is only a number.
> For pipes:
> preg_replace('/\|/g','',$html_string);
> For nulls:
> Preg_replace('/\0/g','',$html_string);
> For slashes
> preg_replace('/\//g','',$html_string); # to be clearer, you can use s!\/!
> g; just so you can see where the regexp begins and ends.
str_replace('|','',$html_string);
etc...
> Some other useful ones for data like the stuff you're doing:
> Spaces at the beginning:
> /^\s/
> spaces at the end:
> /\s$/
trim()
> <br> tags into \n
> preg_replace('!\<br\>!', "\n", $string);
nl2br();
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
