0

I'm looking to have the (admin) user enter some pattern matching string, to give different users of my website access to different database rows, depending on if the text in a particular field of the row matches the pattern matching string against that user.

I decided on Regex because it is trivial to integrate into the MySQL statements directly.

I don't really know where to start with validating that a string is a valid regular expression, with a regular expression.

I did some searching for similar questions, couldn't see one. Google produced the comical answer, sadly not so helpful.

Do people do this in the wild, or avoid it?

Is it able to be done with a simple regex, or will the set of all valid regex need to be limited to a usable subset?

Improve this question
2
  • 1
    Which langugage do you use? Commented Dec 18, 2012 at 15:15
  • @littlestewie I'm working in php, but I want to keep it all within the MySQL query, so that I don't have to go filtering through rows in php to find the correct match. Commented Dec 19, 2012 at 6:57

3 Answers 3

Reset to default
2

Validating a regex is an incredibly complex task. A regex would not be able to do it.

A simple approach would be to catch any errors that occur when you try to run the SQL statement, then report an appropriate error back to the user.

I am assuming that the 'admin' is a trusted user here. It is quite dangerous to give a non-trusted user the ability to enter regexes, because it is easy to attack your system with a regex that is constructed to take a really long time to execute. And that is before you even start to worry about the Bobby Tables problems.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yes, the admin is trusted.. but I still feel really dirty not validating my inputs properly. I'm using prepared statements to prevent Bobby Tables, I guess I'm more worried about XXS, when I display the regex back from the database so the admin can edit it.
@Bingo, you could execute a simple dummy select statement using the regex and then check for an error to see if the regex is valid.
2

in javascript:

input = "hello**";

try{
        RegExp(input);
        // sumbit the regex
}catch(err){
        // regex is not valid
}
Improve this answer

Comments

-1

You cannot validate that a string contains a valid regular expression with a regular expression. But you might be able to compromise.

If you only need to know that only characters which are valid in regular expressions were used in the string, you can use the regex:

^[\d\w \-\}\{\)\(\+\*\?\|\.\$\^\[\]\\]*$

This might be enough depending on the application.

Improve this answer

1 Comment

This isn't really true. A regex could contain basically any character. Whatever is not a meta-character would be treated as matching that literal character.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.