I cannot get pregmatch to accept single(') or double (") quotes. I am attempting this in php the pattern is located in a "textarea."
I would like to allow both quote types but neither are being accepted. Therefore halting input into the database.
The pattern I have is
pattern="[a-zA-Z0-9.,()'!?:"\s]"
The preg match I have is
!preg_match("/^[a-zA-Z0-9.,()'!?:"\s]*$/", $description)
I have searched and tried everything.
When I try this
"/^['\a-zA-Z0-9.,()!?:\s]*$/"
it returns Lisa\'s instead of Lisa's
Filter the input, then run your check to make sure you're not storing a malicious bit of HTML or Javascript, or a tag breaker. Then once you get to binding your parameters with PDO for insertion indicate it as a PARAM_STR.
$description = filter_input(INPUT_POST,'description',FILTER_SANITIZE_STRING);
if(preg_match("~^[a-zA-Z0-9.,()\"'!?:\s]*$~", $description)){
//Call functions to prepare statements and insert into db here.
//...
$stmt->bindValue(':description', $description, PDO::PARAM_STR);
}
Since your preg match now allows single quote lets leave it and get the slashes removed before inserting into the database.
Try this:
!preg_match("/^['\a-zA-Z0-9.,()!?:\s]*$/", $description))
And then before you bind your parameters in your prepared statement add this line of code:
$description = stripslashes(htmlentities($description));
@John Conde was correct. Make sure you always use prepared statements and bind your parameters.
Hope this is helpful