Depending on your application, I would really only let the user input wildcards like "*" and "?" (DOS style), not regular expressions. Alternatively, if the data to be matched comes from a database SQL style wildcards could be an alternative. Everything else will be escaped.
This is easy to implement and will not create trouble with security or memory. It will also go a long way, probably for most applications.
If you look at PM's Super Search, it works without any regular expressions but is still quite powerful.
|