I tried using the string %()#^ as my input, and the string was rejected. Because I know the exact format of the string I want to use I haven't used \s white space but simply a space.

As far as I can see from my testing I've got this aspect pretty much right and I can't see the argument for it being wrong. Perhaps you could explain?

The double negation escaped my attention (I shouldn't post before 9:00 :-)

You always check for invalid characters. All he did was get the wrong character set, and all you have to do is negate the character class (otherwise, your answer is incomplete/wrong).

I screwed up with the regex, but I still maintain the assertion that you should check for the valid characters in a string. The class of invalid input is infinitely greater than that of valid input. If you check for invalid input and you forget something, you potentially open a security hole. If you check for valid input and forget something, that's inconvenient, but not potentially dangerous.

In this case, I got the double negation wrong, which is stupid. Also, the input set is very small, so easy to get right. In more complex cases the chance of forgetting something that is not allowed is much greater than forgetting something that is allowed. And in the latter case, it's merely inconvenient, and not dangerous.

Arjen