homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

preg replace
all but certain characters

 1:37 am on Feb 16, 2009 (gmt 0)

I am attempting to remove all but alpha-numeric characters, spaces, and \r\n (for line breaks), via preg_replace

The reason for this is a type of messaging system, in which the user enters their message, and when it is received from the database, it will put it back out. For security reasons, i only want alpha-numeric, spaces, and the new line characters.

How would i go about doing this?

Thanks in advance



 1:43 am on Feb 16, 2009 (gmt 0)

$pattern = "/[^a-z0-9 \r\n]/i";
$string = preg_replace($pattern, '', $string);


 1:48 am on Feb 16, 2009 (gmt 0)

That seems to have gotten rid of all, including the \'s before the r and n....thus not breaking the line when printing the page


 4:20 am on Feb 16, 2009 (gmt 0)

you might want to try using nl2br() after you have used preg_replace().


 1:23 pm on Feb 16, 2009 (gmt 0)

That does nothing, because the preg_replace is taking out all of the \ that i need for nl2br() to work...


 7:34 pm on Feb 16, 2009 (gmt 0)

so when you pull the data from the database, you end up with a string like this?
$string = "this is \n some text \n with breaks\n";

Can you post the minimalist amount of code with a sample of a string that is giving you a problem?


 10:15 pm on Feb 16, 2009 (gmt 0)

If you're pulling out a literal "\r\n" instead of a new line
like this:

Then you can use this:
$pattern = "/([^a-z0-9 \\]/im";

That will accept \'s also. (note I added m to the options [to search over multiple lines])


 1:07 am on Feb 17, 2009 (gmt 0)

rob7591-> nope...that doesn't return anything. It for some reason returns nothing...

jezra-> This is a quick example of what i'm doing:

test !@#$%^&*()_+=-<>,./?Chars...

new line
----------------END OF INPUT----------------

Before anything is inserted into the database, the following is applied to $message (the input message):

$message = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['message']);

print "You did not input a message<br>";

$message=strip_tags($message); //(not necessary)

then the data is submitted into the query.
When looking into the database (manually) it returns "test ,.Chars...rnrnnew line"... which is the same as what is being printed when viewing the message.


 12:32 pm on Feb 17, 2009 (gmt 0)

If you want to retain the newlines, do not do this before you submit the data to the query:
$message = nl2br [php.net]($message);

You can do that when you retrieve the data from the query if you want to retain the "newlines" in your HTML output.


 1:41 pm on Feb 17, 2009 (gmt 0)

that is what i do... its the last thing that happens before its submitted into the query. The problem is, that the preg_replace is taking out the \ ...so when it runs through nl2br, there is nothing to change...because all of the \'s were taken out before that...


 4:44 am on Mar 3, 2009 (gmt 0)

*small bump after a long time*


 4:04 pm on Mar 3, 2009 (gmt 0)

Maybe it is something in your POST data. It works fine for me:
$message = <<<ENDSTRING

test !@#$%^&*()_+=-<>,./?Chars...

new line

print '<pre>';
print htmlentities($message);
print '</pre>';
$message = preg_replace("/[^a-z0-9 \r\n]/i", "", $message);
if (strlen($message) < 1) {
$error = '1';
print "You did not input a message<br>";
print $message;


 9:03 pm on Mar 3, 2009 (gmt 0)

the preg relace is still removing the \'s from the r and n...

with your preg replace, it also removes the periods and commas.... so when i put in:

"test !@#$%^&*()_+=-<>,./?Chars...

new line"
it puts out:
"test Charsrnrnnew line"

thats directly after the preg replace...

My code is....

$sendto = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['sendto']);
$title = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['title']);
$message = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['message']);

print "TO: ";
print $sendto;
print "<br>";
print "TITLE: ";
print $title;
print "<br>";
print "Message: ";
print "<br>";
print $message;

It will output the other things properly since they are only one line, and the usernames are only alpha numeric, and thus dont need commas or periods.


 11:54 pm on Mar 3, 2009 (gmt 0)

Okay...quick update on this...

when i take the immediate result of $_POST['message'] , run it through nl2br, and print it out, it returns this:

test !@#$%^&*()_+=-<>,./?Chars...\r\n\r\nnew line

so for some reason, not even nl2br is recognizing the \ stuff....i also did some tests with str_replace , to try to replace the \r\n 's with a random string that would later be converted to <br>, but not even str_replace would recognize the \'s...has ANYONE heard of something like this?


 6:54 pm on Mar 4, 2009 (gmt 0)

If you are literally typing in "\r\n", meaning the "backslash" followed by the letter "r" followed by another "backslash" followed by the letter "n" into your
message form field, then it is not really a carriage return, line feed (CRLF). It is a literal string and no, it will not be recognized as anything other than that. CRLF is "invisible" to the eye and since you are seeing the literal characters escaped when you echo your POST value, you are looking at a literal string.

 2:42 pm on Mar 5, 2009 (gmt 0)

but then why, when i run the POST value through nl2br, does it not change it at all? Is there any way to retrieve the new line's posted in the forms text area?

I'm gonna make a blank page that does just what i'm tryin to do, and i'll post it here as soon as i get it going (it will have a to, title, and message box, and then when you submit it, it will show you what you sent in direct/unedited form, with the nl2br (for the message only), and then after the preg_replace. I will have a link to the direct source so you can see the source as it goes.

I've got to go do somethin first, so it will be an hour or 2 before i can get it up


 3:06 pm on Mar 5, 2009 (gmt 0)

I will have a link to the direct source so you can see the source as it goes.

No personal links please.


 3:42 pm on Mar 5, 2009 (gmt 0)

can it be on a server that is made strictly for testing this (like one of the free hosts)?

because everything that "should" be working, isn't...if users have the ability to see the code and the output, it would be easier to solve.

if the answer is still no, i guess i'll have to continue doing this the hard way! lol


 10:29 pm on Mar 5, 2009 (gmt 0)

I fixed this by doin a bypass...i replaced all the <br/> with a random string before putting it through the preg_replace

$message=preg_replace('/\<br(\s*)?\/?\>/i', ".n.185169876216.n.", $message);
$message = preg_replace("/[^a-z0-9 . ,]/im", "", $message);
$message=str_replace('.n.185169876216.n.', "<br>", $message);

That seems to be working now...dont know why..but it does! lol

Thanks to all

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved