Welcome to WebmasterWorld Guest from 35.173.57.202

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

preg replace

all but certain characters

     
1:37 am on Feb 16, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


I am attempting to remove all but alpha-numeric characters, spaces, and \r\n (for line breaks), via preg_replace

The reason for this is a type of messaging system, in which the user enters their message, and when it is received from the database, it will put it back out. For security reasons, i only want alpha-numeric, spaces, and the new line characters.

How would i go about doing this?

Thanks in advance

1:43 am on Feb 16, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 5, 2008
posts:112
votes: 0


try:
$pattern = "/[^a-z0-9 \r\n]/i";
$string = preg_replace($pattern, '', $string);
1:48 am on Feb 16, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


That seems to have gotten rid of all, including the \'s before the r and n....thus not breaking the line when printing the page
4:20 am on Feb 16, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Feb 4, 2004
posts:215
votes: 0


you might want to try using nl2br() after you have used preg_replace().
1:23 pm on Feb 16, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


That does nothing, because the preg_replace is taking out all of the \ that i need for nl2br() to work...
7:34 pm on Feb 16, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Feb 4, 2004
posts: 215
votes: 0


so when you pull the data from the database, you end up with a string like this?
$string = "this is \n some text \n with breaks\n";

Can you post the minimalist amount of code with a sample of a string that is giving you a problem?

10:15 pm on Feb 16, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 5, 2008
posts:112
votes: 0


If you're pulling out a literal "\r\n" instead of a new line
like this:
"
",

Then you can use this:
$pattern = "/([^a-z0-9 \\]/im";

That will accept \'s also. (note I added m to the options [to search over multiple lines])

1:07 am on Feb 17, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


rob7591-> nope...that doesn't return anything. It for some reason returns nothing...

jezra-> This is a quick example of what i'm doing:
---------------------------------------------------
INPUT:

test !@#$%^&*()_+=-<>,./?Chars...

new line
----------------END OF INPUT----------------

Before anything is inserted into the database, the following is applied to $message (the input message):

$message = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['message']);

if(strlen($message)<1)
{
$error='1';
print "You did not input a message<br>";
}

$message=strip_tags($message); //(not necessary)
$message=nl2br($message);

then the data is submitted into the query.
When looking into the database (manually) it returns "test ,.Chars...rnrnnew line"... which is the same as what is being printed when viewing the message.

12:32 pm on Feb 17, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


If you want to retain the newlines, do not do this before you submit the data to the query:
$message = nl2br [php.net]($message);

You can do that when you retrieve the data from the query if you want to retain the "newlines" in your HTML output.
1:41 pm on Feb 17, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


that is what i do... its the last thing that happens before its submitted into the query. The problem is, that the preg_replace is taking out the \ ...so when it runs through nl2br, there is nothing to change...because all of the \'s were taken out before that...
4:44 am on Mar 3, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


*small bump after a long time*
4:04 pm on Mar 3, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


Maybe it is something in your POST data. It works fine for me:
$message = <<<ENDSTRING 
INPUT:

test !@#$%^&*()_+=-<>,./?Chars...

new line
ENDSTRING;


print '<pre>';
print htmlentities($message);
print '</pre>';
$message = preg_replace("/[^a-z0-9 \r\n]/i", "", $message);
if (strlen($message) < 1) {
$error = '1';
print "You did not input a message<br>";
}
$message=nl2br($message);
print $message;
exit;
9:03 pm on Mar 3, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


the preg relace is still removing the \'s from the r and n...

with your preg replace, it also removes the periods and commas.... so when i put in:

"test !@#$%^&*()_+=-<>,./?Chars...

new line"
it puts out:
"test Charsrnrnnew line"

thats directly after the preg replace...

My code is....

$sendto = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['sendto']);
$title = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['title']);
$message = preg_replace("/[^a-z0-9 \r\n]/i", "", $_POST['message']);

print "TO: ";
print $sendto;
print "<br>";
print "TITLE: ";
print $title;
print "<br>";
print "Message: ";
print "<br>";
print $message;

It will output the other things properly since they are only one line, and the usernames are only alpha numeric, and thus dont need commas or periods.

11:54 pm on Mar 3, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


Okay...quick update on this...

when i take the immediate result of $_POST['message'] , run it through nl2br, and print it out, it returns this:

test !@#$%^&*()_+=-<>,./?Chars...\r\n\r\nnew line

so for some reason, not even nl2br is recognizing the \ stuff....i also did some tests with str_replace , to try to replace the \r\n 's with a random string that would later be converted to <br>, but not even str_replace would recognize the \'s...has ANYONE heard of something like this?

6:54 pm on Mar 4, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


If you are literally typing in "\r\n", meaning the "backslash" followed by the letter "r" followed by another "backslash" followed by the letter "n" into your
message
form field, then it is not really a carriage return, line feed (CRLF). It is a literal string and no, it will not be recognized as anything other than that. CRLF is "invisible" to the eye and since you are seeing the literal characters escaped when you echo your POST value, you are looking at a literal string.
2:42 pm on Mar 5, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


but then why, when i run the POST value through nl2br, does it not change it at all? Is there any way to retrieve the new line's posted in the forms text area?

I'm gonna make a blank page that does just what i'm tryin to do, and i'll post it here as soon as i get it going (it will have a to, title, and message box, and then when you submit it, it will show you what you sent in direct/unedited form, with the nl2br (for the message only), and then after the preg_replace. I will have a link to the direct source so you can see the source as it goes.

I've got to go do somethin first, so it will be an hour or 2 before i can get it up

3:06 pm on Mar 5, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


I will have a link to the direct source so you can see the source as it goes.

No personal links please.

3:42 pm on Mar 5, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


can it be on a server that is made strictly for testing this (like one of the free hosts)?

because everything that "should" be working, isn't...if users have the ability to see the code and the output, it would be easier to solve.

if the answer is still no, i guess i'll have to continue doing this the hard way! lol

10:29 pm on Mar 5, 2009 (gmt 0)

New User

10+ Year Member

joined:Aug 29, 2008
posts:21
votes: 0


I fixed this by doin a bypass...i replaced all the <br/> with a random string before putting it through the preg_replace

$message=preg_replace('/\<br(\s*)?\/?\>/i', ".n.185169876216.n.", $message);
$message = preg_replace("/[^a-z0-9 . ,]/im", "", $message);
$message=str_replace('.n.185169876216.n.', "<br>", $message);

That seems to be working now...dont know why..but it does! lol

Thanks to all

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members