Regular expression to exclude chars for a valid URL

Question

hi, I'd like to create a filter which allows almost all chars but without / < > ? =
I've read in some site, I shoud use the ^ char inside ranges, but if I try it doesn't work properly:

mod_rewrite:

RewriteRule ^(user/)([^\<\>\?=]+)([/]?)$    user.php?username=$2

php for validation:

return eregi ("[^\<\>\?=/]", $value);

how I shoud write to set the right filter to allow all chars but not < > ? = / in my range?

can someone sugest me some other character should not inserted on url string for security or compatibility?

consider I should work with URLs like:
http://www.last.fm/music/小林武史
http://www.last.fm/music/Trentemøller
http://www.last.fm/music/Lindstrøm+&+Prins+Thomas

Answer 1

This should be enough for both mod_rewrite PHP:

([^/<>?=]+)

BTW, you shouldn't use eregi() in PHP, use preg_match() instead with the i modifier.

Answer 2

To put it in the colloquial, "ur doin it wrong". If you're not worrying about security in your script then no amount of blocking any characters will truly make your app secure short of cutting off the connection completely.

Answer 3

Firstly, I don't think you need to escape all those characters in your character class. Try this instead:

RewriteRule ^(user/)([^<>?=/]+)(/?)$    user.php?username=$2

Secondly, don't use eregi, it's crazy (and deprecated). Use preg_match instead:

return preg_match("|[^<>?=/]|", $value);

HTH.