0

I am completely new to PHP and to prevent from any attack and to store proper values in a variable I am trying to sanitize, trim for spaces and remove any illegal character. I have a variable 

$value = "this, <script></script>, 's 18in,";

The above variable consists many unwanted characters like , blank space, <> tags.

What I want to do is I want to remove all the invalid characters from the string and make it a pure form string with only have alphabets or numbers like

$value = "thiss18in"; <= after sanitization

Can anyone help me with this logic?

Akshay Shrivastav
  • 910
  • 14
  • 34
  • Can you post code of what you have already tried? – RobFos Apr 18 '17 at 12:42
  • better to use PHP regular expression. Also PHP strip_tags will remove all tags but leave special characters that you can save in DB and show by real escape string and htmlspecialchars respectively (based on your needs). Look here: http://stackoverflow.com/questions/745282/how-do-i-write-a-regex-in-php-to-remove-special-characters – Mubashar Iqbal Apr 18 '17 at 12:45
  • i just used this trim function only `$value = trim("this, , 's 18in,");` as i am completely new to PHP i am having problem to achieve it –  Apr 18 '17 at 12:46
  • I think this is the most complete answer you can find. [What are the best PHP input sanitizing functions?](http://stackoverflow.com/questions/3126072/what-are-the-best-php-input-sanitizing-functions) – dinhokz Apr 18 '17 at 13:06

3 Answers3

2

See you can use this Logic:

$value = "this, <script></script>, 's 18in,";
$newString = trim(preg_replace('/[^a-z0-9]/i', '', $value));

The preg_replace will replace all the invalid characters and only give u a pure formatted string of character and number if there are any spaces in the string the trim function will take care of it.

I have taken a reference from this question and editing according to what you wanted. Link => How do I write a regex in PHP to remove special characters?

Community
  • 1
  • 1
Akshay Shrivastav
  • 910
  • 14
  • 34
  • Thanks @Akshay Shrivastav your reference provided worked perfectly for me and thanks for the modified code. That was what i wanted. –  Apr 18 '17 at 12:57
  • +1 from me for giving the proper credit. On a side note: The `trim()` function is not needed here. The regex will replace spaces with nothing just as well :) – icecub Apr 18 '17 at 13:00
  • @icecub uum i just gave it for additional precaution and thanks for the vote :) – Akshay Shrivastav Apr 18 '17 at 13:02
  • Yes. But your code doesn't actually work. Your regex doesn't replace alphanumeric characters. So `` will turn into `scriptscript` instead of completely removing the tags – icecub Apr 18 '17 at 13:03
  • please read the question, the asker didn't mention about that one. According to which i have provided the code. – Akshay Shrivastav Apr 18 '17 at 13:05
  • `<> tags` – icecub Apr 18 '17 at 13:05
  • Not picking on you or anything m8. Just giving you the opportunity to improve your answer. A simple adeption with `strip_tags()` will solve the problem :) – icecub Apr 18 '17 at 13:08
  • Also please, read the question again. `$value = "thiss18in"; <= after sanitization` I don't see the words script in there. Do you? – icecub Apr 18 '17 at 13:13
  • yes u have a valid point but what can i do bro the asker himself marked it – Akshay Shrivastav Apr 18 '17 at 13:23
1
$value = "this, <script></script>, 's 18in,";
$value = strip_tags($value);
$newString = preg_replace('/[^a-z0-9]/i', '', $value);
echo $newString;

Demo

Reference : How do I write a regex in PHP to remove special characters?

Community
  • 1
  • 1
Bhaskar Jain
  • 1,591
  • 1
  • 10
  • 19
  • This should've been the accepted answer in my opinion, since it actually works. (Unlike the accepted answer) +1 – icecub Apr 18 '17 at 13:02
0

Try to use the php filter extension in modern php versions.

Or try to combine the functions htmlentities, strip_tags and mysqli-real-escape-string.

I think this is the most complete answer you can find. What are the best PHP input sanitizing functions?

Community
  • 1
  • 1
dinhokz
  • 763
  • 10
  • 32
  • I think you should not reference to functions that have been deprecated for more than 3 years. I've replaced `mysql_*` with `mysqli_*` for you. – icecub Apr 18 '17 at 13:17