DaniWeb Forum Index > Web Development > PHP

Remove Non Printing Characters From Text

Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

•

Join Date: Aug 2004

Posts: 24

Reputation: ray_broome is an unknown quantity at this point

Solved Threads: 0

ray_broome ray_broome is offline

Offline

Newbie Poster

Remove Non Printing Characters From Text

May 15th, 2008

Hi,

I've got a form with a few text fields, and only today I noticed that when i tried copying some text from an email and pasting it into one of the fields, after submitting to the database (and printing the query), i noticed that the name sent had something extra.

Say "sweet" was the value in the field, then i saw "sweet\r\n" being sent to the db table. What i'm wondering is how can i remove any extra non printing characters such as these? I was thinking of using this regexp - "\r{0,1}\n" which so far seems to take out "\r\n" at least but just in case any 'weird stuff' gets copied/pasted into a field i would like to make sure it's removed and just the text itself is sent.

Thanks in advance for any advice/help

•

Join Date: Mar 2007

Posts: 29

Reputation: blufab is an unknown quantity at this point

Solved Threads: 1

blufab

Offline

Light Poster

Re: Remove Non Printing Characters From Text

May 16th, 2008

To remove all ascii non-printable characters you would want to remove decimal values 0-31 & 127. This should remove most funky characters.

•

Join Date: May 2008

Posts: 31

Reputation: rgviza is an unknown quantity at this point

Solved Threads: 5

rgviza

Offline

Light Poster

Re: Remove Non Printing Characters From Text

May 16th, 2008

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
$formvar = preg_replace("/[^\w\d]/g","",$formvar);
$formvar = preg_replace("/[^\w\d]/g","",$formvar);

inside the brackets add any special characters you want to allow. example:
[^\w\d\-\@\.\&\n ] (note the unescaped space)

A whitelist is far more powerful than just removing characters you think are bad. It's future proof.

This regex tells preg it wants to replace everything except the characters listed after the carat. In a bracketed character list carat means "anything except the following".
\w = word characters
\d = numeric digits
the rest are just escaped individual characters.

For address data like "apt. #305". You can do a regex in front of the one I gave that converts "#" to "number" or don't do anything before to let the above just remove it.

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
$formvar = preg_replace("/\#/g","number",$formvar);
$formvar = preg_replace("/\#/g","number",$formvar);

Also remember that you can't do:

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
$_POST['formvar'] = preg_replace("/\#/g","number",$_POST['formvar']);
$_POST['formvar'] = preg_replace("/\#/g","number",$_POST['formvar']);

because this array is immutable. but

 Help with Code Tags 
 PHP Syntax (Toggle Plain Text) 
$formvar = preg_replace("/\#/g","number",$_POST['formvar']);
$formvar = preg_replace("/\#/g","number",$_POST['formvar']);

would work.

By not allowing ; or # you also break encoded characters on query string or POST which is a good measure to help break XSS. By not allowing ' or " and ; you help break sql injections, though you should also use the functions for filtering query data. The &'s used for argument separation aren't affected since these are not included in the data when you read them for php.

Default deny for the win. You may need to do a few tweaks if you discover stuff getting scrubbed that shouldn't be, but it's way more secure than doing it the other way.

-r