1

Complete PHP newbie here trying to get to grips with literals and escapes, so apologies in advance that this is so basic. I've read lots of questions on preg_match but none seem to address this.

I have an old form which contains instances of the deprecated eregi() function using double quotes: 

eregi("\n", $s)
eregi("%0a", $s)

Those 2 lines are part of a longer line to check for injection characters.

If I update the function to preg_match with delimiters and a trailing i, like so:

preg_match("/\n/i", $s)
preg_match("/%0a/i", $s)

Do I now also need to escape the \ and/or % with my own back slash(es)?

Thanks

5tevooo
  • 29
  • 2
  • No, no escaping needed. The only time you need to escape is for the normal instance of a quotes inside quotes. Otherwise it's normal RegEx syntax inside the two forward slashes – JustCarty Mar 31 '17 at 01:02

1 Answers1

0

Rather than running more than one preg_match() call, I recommend using pipes | to combine all invalid characters into one call.

In your case, no escaping is needed and you can use: preg_match(/\n|%0a/,$s)

If you wish to add more blacklisted characters, you can test your pattern against your own sample input at https://regex101.com/

Lastly, if you don't necessarily want to block incoming data, but wish to remove blacklisted characters you could use preg_replace().

mickmackusa
  • 43,625
  • 12
  • 83
  • 136