preg_match problem

I have built a form for adding new members. In the form, I have a line that reads:

	<p><b>Roll:</b> <input type="text" name="roll" size="10" maxlength="10" /> <small>either "user" or "admin"</small></p>

I then verify that the data is correct using:

	if (preg_match ('%^(admin|user])$%', stripslashes(trim($_POST['roll'])))) {
		$rl = escape_data($_POST['roll']);
	} else {
		$rl = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid roll!</font></p>';
        }

I am not getting past this check, and I have tried several different approaches.

Is this a good way to test that the roll is correct?

Why

Your regex works fine for ‘admin’. To make it work for ‘user’ as well, get rid of the ] after ‘user’.

In this case (a limited number of acceptable values) you could also put them in an array and then check with the in_array() function.

Thanks. That fixed this problem.

I will read the information at that link and may get back to you with more questions.

I have been using preg_match to filter the input as a means of slowing hackers.

If I use the in_array() function, do I need the preg_match to screen stray unwanted characters from the input data?

Well, firstly, ‘Roll’ is the wrong word. (You’re looking for ‘Role’ )

In_array will look specifically for that item - “admin” does not match “admine”, and vice versa. as a side note, though, in_array is case sensitive.

Then, I will correct everything to use the ‘role’ and eliminate the preg_match.

Will this do what I am trying to accomplish?

$t_rl = escape_data($_POST['role']);  // get the posted role for testing
$a_role = array("admin", "user"); // put allowed roles in the array
if (in_array("$t_rl, $a_tole)) { // test the posted role  and if it works set $rl to the correct role
    $rl=$t_rl;
} else {
    $rl = FALSE;
    echo '<p><font color="red" size="+1">Please enter a valid role!</font></p>';

Well, the coloration should tell you something’s not right there… (Hint: You’ve got an extra double-quote…) but other than that, looks about right.

Incidentally, since everyone has to either be an admin or a user, why use a text box for inputting this?

I see the error with the double-quote, and will fix that.

I use a text box because that is about the extent of my knowledge.

I suppose a drop-down selector would be better, but I haven’t tried doing anything like that other than using a program that produces a flash form.

Another way might be to have both options available with a check box, but again, a flash form builder program is the only way I have done that in the past.

I suspect that somewhere in the future, I will have to add a role of editor. That is something I know will be easy once I get the current form working, by adding editor to the array.

why dont you use regex?? its simpler than that…

I will search for that and see what it does.

Because regex is rather wasteful if you’ve got a known, fixed pattern.

Bill: Regex was what you were using to begin with.

You shouldn’t really be using a text field for this, as this is exactly the kind of data the SELECT element was designed for.
Here’s your HTML updated to use a select instead of the text input. You can probably see how easily you can add a new option to the drop down list

Changing this has no effect on your PHP code, the selected value is still sent to PHP as $_POST[‘role’].

<p>
    <label>
        Role:
        <select id="role" name="role">
            <option value="user">User</option>
            <option value="admin">Admin</option>
        </select>
    </label>
</p>

Nice.

I will work on that tomorrow (today is meetings at work all morning, half the afternoon, and most of the evening is dinner).