人名的PHP正则表达式 [英] PHP Regex for human names

问题描述

我使用的人名正则表达式遇到了一些问题.

I've run into a bit of a problem with a Regex I'm using for humans names.

$rexName = '/^[a-z' -]$/i';

假设一个名叫Jürgen的用户希望注册?还是鲍勃?在欧洲这很普遍.对此有特殊的记号吗?

Suppose a user with the name Jürgen wishes to register? Or Böb? That's pretty commonplace in Europe. Is there a special notation for this?

将Jürgen名称与正则表达式创建者相对应，然后将其拆分为ü字母...

, just threw the Jürgen name against a regex creator, and it splits the word up at the ü letter...

http://www.txt2re. com/index.php3?s = J％FCrgen + Blalock& submit =显示+匹配

好吧，由于检查此类特定内容很困难，为什么不使用只检查非法字符的正则表达式呢?

Allright, since checking for such specific things is hard, why not use a regex that simply checks for illegal characters?

$rexSafety = "/^[^<,\"@/{}()*$%?=>:|;#]*$/i";

(现在其中哪些可以真正用于任何黑客尝试中?)

(now which ones of these can actually be used in any hacking attempt?)

例如.这允许'和-号，但您需要一个;号.使其在SQL中起作用，这些字符将被停止.我缺少其他用于HTML注入SQL攻击的常用字符吗?

For instance. This allows ' and - signs, yet you need a ; to make it work in SQL, and those will be stopped.Any other characters that are commonly used for HTML injection of SQL attacks that I'm missing?

推荐答案

我真的会说:不要尝试验证名称:有一天或另一天，您的代码将遇到它认为是错误"的名称. .当应用程序告诉他"您的名字无效"时，您怎么看待人?

I would really say : don't try to validate names : one day or another, your code will meet a name that it thinks is "wrong"... And how do you think one would react when an application tells him "your name is not valid" ?

根据您真正想要实现的目标，您可以考虑使用某种黑名单/过滤器，以排除您所考虑的非名称":它可能会让一些不良名称"通过，但是，至少，它不应阻止任何现有名称访问您的应用程序.

Depending on what you really want to achieve, you might consider using some kind of blacklist / filters, to exclude the "not-names" you thought about : it will maybe let some "bad-names" pass, but, at least, it shouldn't prevent any existing name from accessing your application.

以下是一些我想到的规则示例:

Here are a few examples of rules that come to mind :

• 没有电话号码
• 没有特殊字符，例如"~{()}@^$%?;:/*§£ø和其他一些
• 不超过3个空格吗?
• "admin"，"support"，主持人"，"test"和其他一些显而易见的非名字都没有，人们在不想输入真实姓名时会倾向于使用这些非名字...
  • (但是，如果他们不想给您起名字，他们仍然不会，即使您禁止他们随意输入一些字母，他们也可以使用真实姓名...这不是他们的名字)
  • no number
  • no special character, like "~{()}@^$%?;:/*§£ø and probably some others
  • no more that 3 spaces ?
  • none of "admin", "support", "moderator", "test", and a few other obvious non-names that people tend to use when they don't want to type in their real name...
    • (but, if they don't want to give you their name, their still won't, even if you forbid them from typing some random letters, they could just use a real name... Which is not their's)

    是的，这并不完美；是的，它会让一些非名称通过...但是，对于您的应用程序来说，它可能比说某人您的名称错误"更好.(是的，我坚持^^)

    Yes, this is not perfect ; and yes, it will let some non-names pass... But it's probably way better for your application than saying someone "your name is wrong" (yes, I insist ^^ )

    
    并且，要回答您在另一个答案下留下的评论:

    
    And, to answer a comment you left under one other answer :

    我只能禁止大多数命令 SQL注入和XSS的字符 攻击，

    I could just forbid the most command characters for SQL injection and XSS attacks,

    关于SQL注入，必须先将数据转义到数据库后才能转义；而且，如果您始终转义这些数据(应该！)，则不必担心用户可能输入或不输入什么:因为转义后的数据始终对您没有风险.

    About SQL Injection, you must escape your data before sending those to the database ; and, if you always escape those data (you should !), you don't have to care about what users may input or not : as it is escaped, always, there is no risk for you.

    与XSS相同:由于您总是在输出数据时转义数据(您应该！)，因此没有注入风险；-)

    Same about XSS : as you always escape your data when ouputting it (you should !), there is no risk of injection ;-)

    :如果您仅使用这样的正则表达式，它将不能很好地工作:

    EDIT : if you just use that regex like that, it will not work quite well :

    以下代码:

    $rexSafety = "/^[^<,\"@/{}()*$%?=>:|;#]*$/i";
    if (preg_match($rexSafety, 'martin')) {
        var_dump('bad name');
    } else {
        var_dump('ok');
    }
    

    至少会给您一个警告:

    Warning: preg_match() [function.preg-match]: Unknown modifier '{'
    

    您必须至少逃脱其中一些特殊字符；我将让您深入研究 PCRE模式了解更多信息(有关于PCRE/regex确实有很多知识；我将无法一一解释.)

    You must escape at least some of those special chars ; I'll let you dig into PCRE Patterns for more informations (there is really a lot to know about PCRE / regex ; and I won't be able to explain it all)

    如果您实际上想检查这些字符中是否没有包含在给定的数据中，则可能会得到这样的结果:

    If you actually want to check that none of those characters is inside a given piece of data, you might end up with something like that :

    $rexSafety = "/[\^<,\"@\/\{\}\(\)\*\$%\?=>:\|;#]+/i";
    if (preg_match($rexSafety, 'martin')) {
        var_dump('bad name');
    } else {
        var_dump('ok');
    }
    

    (这是一个快速而肮脏的主张，必须加以完善！)

    这个人说好" (嗯，我绝对希望我自己的名字可以！)
    还有带有特殊字符的相同示例，如下所示:

    This one says "OK" (well, I definitly hope my own name is ok!)
    And the same example with some specials chars, like this :

    $rexSafety = "/[\^<,\"@\/\{\}\(\)\*\$%\?=>:\|;#]+/i";
    if (preg_match($rexSafety, 'ma{rtin')) {
        var_dump('bad name');
    } else {
        var_dump('ok');
    }
    

    会说坏名字"

    但是请注意，我还没有对此进行了全面测试，它可能需要做更多的工作！除非您进行了非常仔细的测试，否则请勿在您的网站上使用它！

    But please note I have not fully tested this, and it probably needs more work ! Do not use this on your site unless you tested it very carefully !

    
    另请注意，在尝试执行SQL注入时，单引号可能会有所帮助...但是在某些名称中它可能是合法的字符...因此，仅排除某些字符可能还不够;-)

    
    Also note that a single quote can be helpful when trying to do an SQL Injection... But it is probably a character that is legal in some names... So, just excluding some characters might no be enough ;-)

    这篇关于人名的PHP正则表达式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！