PHP and Regular Expressions question?

Question

I was wondering if the codes below are the correct way to check for a street address, email address, password, city and url using preg_match using regular expressions?

And if not how should I fix the preg_match code?

 preg_match ('/^[A-Z0-9 \'.-]{1,255}$/i', $trimmed['address']) //street address
 preg_match ('/^[\w.-]+@[\w.-]+\.[A-Za-z]{2,6}$/', $trimmed['email'] //email address
 preg_match ('/^\w{4,20}$/', $trimmed['password']) //password
 preg_match ('/^[A-Z \'.-]{1,255}$/i', $trimmed['city']) //city
 preg_match("/^[a-zA-Z]+[:\/\/]+[A-Za-z0-9\-_]+\\.+[A-Za-z0-9\.\/%&=\?\-_]+$/i", $trimmed['url']) //url

Answer 1

Your street address: ^[A-Z0-9 \'.-]{1,255}$

• you need not escape the single quote.
• since you have a dot in the char class, it will allow all char (except newline). So effective your regex becomes ^.{1,255}$
• you are allowing it to be of min length of 1 and max of length 255. I would suggest you to increase the min length to something more than 1.

Your email regex: ^[\w.-]+@[\w.-]+\.[A-Za-z]{2,6}$

• again you are having . in the char class. fix that.

Your password regex: ^\w{4,20}$

• allows for a passwd of length 4 to 20 and can contain only alphabets(upper and lower), digits and underscore. I would suggest you to allow special char too..to make your password stronger.

Your city regex: ^[A-Z \'.-]{1,255}$

• has . in char class
• allows min length of 1 (if you want to allow cities of 1 char length this is fine).

EDIT:

Since you are very new to regex, spend some time on Regular-Expressions.info

Answer 2

There's not really a 'correct' way to check for any of those things. It depends on what exactly your requirements are.

For e-mail addresses and URLs, I'd recommend using filter_var instead of regexps - just pass it FILTER_VALIDATE_EMAIL or FILTER_VALIDATE_URL.

With the other regexps, you need to make sure you escape . inside character classes (otherwise it'll allow everything), and you might want to consider that the City/Street ones would allow rubbish such as ''''', or just whitespace.

Answer 3

Please don't assume that you know how an address is made up. There are thousands of cities, towns and villages with characters like & and those from other alphabets.

Just DON'T try to validate an address unless you do it thru an API specific to a country (USPS for the US, for example).

And why would you want to limit the characters in a users password? Don't have ANY requirements on the password except for it existing.

Your site will be unusable if you use those regex.

Answer 4

This seems overly complicated to me. In particular I can see a few things that won't work:

1. Your regex will fail for cities with non-ASCII letters in their names, such as "Malmö" or 서울, etc.
2. Your password validator doesn't allow for spaces in the password (which is useful for entering pass-phrases) it doesn't even allow digits or punctuation, which many people will like to put in their passwords for added security.
3. You address validator won't allow for people who live in apartments (12/345 Foo St)

(this is assuming you meant "\." instead of "." since "." matches anything)

And so on. In general, I think over-reliance on regular expressions for validation is not a good thing. You're probably better off allowing anything for those fields and just validating them some other way.

For example, with email addresses: just because an address is valid according to the RFC standard doesn't mean you'll actually be able to send email to it (or that it's the correct email address for the person). The only reliable way to validate an email address is to actually send an email to it and get the person to click on a link or something.

Same thing with URLs: just because it's valid according to the standard doesn't actually mean there's a web page there. You can validate the URL by trying to do an actual request to fetch the page.

But my personal preference would be to just do the absolute minimum verification possible, and leave it at that. Let people edit their profile (or whatever it is you're verifying) in case they make a mistake.