I am creating a site to which the user, unfortunately, must provide a regular expression for use in the MySQL WHERE clause. And of course, I have to check user input to prevent SQL injection. The site was created in PHP, and I use the following regular expression to test my regular expression:
/^([^\\\\\']|\\\.)*$/
This is double escaping due to the PHP method for handling regular expressions. The way it should work should only match safe regular expressions without extra single quotes. But being mostly self-taught, I would like to know if it is safe to do this.
source
share