Reasonable RegExps

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Monks

I am trying to check the following input for nasties, and to make sure users have not entered things incorrectly (i.e a \ in your name).

Fullname = Upper/Lower Case, Spaces, Min 1, Max 30, '`-
Username = Lower Case Only, Start With Char, Numbers, Min 3, Max 16, -_.
Password = Min 6, Max 30>br>

I am currently doing it like this:

if ($sup_fullname !~ /^[-.\w\s]{1,30}$/) {
        $message = $message.'<p>Full Name Error: 1-30 Chars, No Symbol
+s.</p>';
        $found_err = 1; }
[download]

Is There a better way? Or could someone give me some good regexps? My code is running in taint, and i understand this traps some nasties?

Comment on Reasonable RegExps Download Code

Replies are listed 'Best First'.
Re: Reasonable RegExps by dws (Chancellor) on May 16, 2003 at 23:57 UTC
Is There a better way? It might be easier on your users, as well as on whoever picks up the code later to split the check into pieces--separating out the length checks, for example. This lets you tailor error messages. Also, consider inverting the test so that you're detecting anything that's not legal. Something like the following untested fragment might work for you: `my $len = length($sup_fullname); if ( $len == 0 ) { $message .= "<p>You must provide a Full Name.</p>"; $found_err = 1; } elsif ( $len > 30 ) { $message .= "<p>Full Name is limited to 30 characters.</p>"; $found_err = 1; } elsif ( $sup_fullname =~ /[^-.'\w\s]) { $message .= "<p>Full Name cannot contain special symbols</p>"; $found_err = 1; }` [download] Take extra care to not insult people who have full names longer than 30 characters. I know of two such people.	[reply] [d/l]
Re: Reasonable RegExps by broquaint (Abbot) on May 16, 2003 at 23:58 UTC
Is There a better way? These regexes should fit your criteria `my $fullname = qr/\A[a-z]{1,30}\z/i; my $username = qr/\A[a-z]\w{2,16}\z/i; my $password = qr/\A.{6,30}\z/;` [download] Check out `perlre` for more info on the above regexes. HTH `_________ broquaint`	[reply] [d/l]
Re: Re: Reasonable RegExps by demerphq (Chancellor) on May 17, 2003 at 19:12 UTC
I think id be inclined to not use `/[a-z]/i`, I personally think the below is easier to read. `my $fullname = qr/\A[[:alpha:]]{1,30}\z/; my $username = qr/\A[[:alpha:]]\w{2,16}\z/;` [download] TIMTOWTDI --- demerphq _{<Elian> And I do take a kind of perverse pleasure in having an OO assembly language...}	[reply] [d/l] [select]
Re: Reasonable RegExps by markjugg (Curate) on May 17, 2003 at 00:45 UTC
You might also look into Data::FormValidator, which helps with input validation and error display. It works with custom regular expressions. You might also look at Regexp::Common as a starting point for solid RE's, which you can use with Data::FormValidator if you'd like. If you are using CGI::Application, which I recommend, you use CGI::Application::ValidateRM to reasily reload the form with errors. Otherwise, you may still want to look into HTML::FillInForm. Mark	[reply]
Re: Reasonable RegExps by MrYoya (Monk) on May 17, 2003 at 00:48 UTC
Setting taint mode (`-T`) makes perl mark variables with questionable input as tainted. The use of tainted variables is restricted, to protect yourself. Run `man perlsec` for more info	[reply] [d/l] [select]