preg_match() and username

function isUserID($username) {
  if (preg_match('/^[a-z\d_]{2,20}$/i', $username)) {
    return true;
  } else {
    return false;
  }
}   

Easy one.., i have 开发者_运维百科this, can you explain what it checks for? I know it checks if the username have length between 2-20, what more? Thanks

It searches for text containing only alphanumeric and underscore characters, from 2 to 20 characters long.

/^[a-z\d_]{2,20}$/i
||||  | |||     |||
||||  | |||     ||i : case insensitive
||||  | |||     |/ : end of regex
||||  | |||     $ : end of text
||||  | ||{2,20} : repeated 2 to 20 times
||||  | |] : end character group
||||  | _ : underscore
||||  \d : any digit
|||a-z: 'a' through 'z'
||[ : start character group
|^ : beginning of text
/ : regex start

/^[a-z\d_]{2,20}$/i

Splicing it up:

/ is the regex delimiter; you can choose anything you like, but a forward slash is the most common one.

^ means 'match beginning of input': The following expression must be at the beginning for the regex to match.

[a-z\d_] is a character class; it means 'any of the characters between the square brackets'; the backslash combined with the d is a shortcut for 'digits', and the dash indicates an inclusive range; thus, the character class says 'any letter or digit, or the underscore'.

{2;20} is a quantifier that says that the preceding expression (the character class) must be repeated 2 to 20 times.

$ means 'match end of input', similar to ^.

Another / terminates the regex itself; what follows are procession options, in this case i, which means 'case-insensitive'.

It checks to see that the username consists of 2 to 20 characters that are letters (uppercase or lowercase thanks to the i flag), numbers or an underscore.

This can be abbreviated in two ways: firstly, the if construct is unnecessary. Secondly, you can use \w as a substitute for those same characters, so:

function isUserID($username) {
  return preg_match('/^\w{2,20}$/', $username);
}

It literally checks if $username consists of a sequence of 2 to 20 characters of a-z, A-Z (because of the i flag for case insensitivity), 0-9 (for \d), and _.

It's also checking if it contains any characters other than the alphabet, a-z and A-Z, digits 0-9, and _.

Or you could say, checking that it only contains alphanumeric characters and _.

This could be rewritten to be simpler, too - preg_match returns an int, so there's no reason to use the 'return false, return true' pattern.

function isUserID($username){ return (bool)preg_match('/^[a-z\d_]{2,20}$/i', $username); }

Would do the same thing.

Also, \w means the same thing as those characters. Letters, digits and underscore. So even better would be

function isUserID($username){ return (bool)preg_match('/^[\w]{2,20}$/i', $username); }

It is checking for a 2-20 characters long case-insensitive alphanumeric word that consists of letters, numbers and _

Please use replace your username validation code.

  if (preg_match('^[0-9A-Za-z_]+$^', $_POST['username']) == 0) {
        die ('Invalid username!');
    }