Handling user input
Prepared Patterns allow you to confidently use user-input or unsafe data that might contain regular expression special characters. It's also integrated with Automatic Delimiters, so they're quoted with regard to the delimiter that was chosen automatically for you.
There are two entry points for prepared patterns:
You can read about each of them in the next section, but for now, let's cover the basics.
Why handling user input is important
Let's say, you would like to search a subject for My dog's name is Barky, where the dog's name is user input.
$input = $_GET['name'];Pattern::of("(My|Our) dog's name is " . $input . '!');
Immediately though, you can see that $input can contain regexp special characters and mess with your pattern.
If, by accident, $input had a value of B(arky - you would receive an exception missing ) at offset 31
Pattern::of("(My|Our) dog's name is (Barky!");
They need to be escaped!
Read on, to learn about proper handling of user input.
Why not just preg_quote()
Good question.
The same reason why good programmers use Prepared SQL Statements, instead of mysql_real_escape_string().
They allow you to separate regular expression from unsafe data, which helps with making the pattern safer:
- delimiters become an implementation detail, about which programmer doesn't have to care
- some flags (e.g.
x) require spaces and whitespaces to also be quoted, whichpreg_quote()doesn't quote - inside comments (
\Qand\E), values shouldn't be quoted! This would cause double quotation, whichpreg_quote()does (kinda how>becomes>when double quoted). preg_quote()doesn't quote comments before PHP 7.1.3