Remove Non Printing Characters From Text

Expand Post »

Hi,

I've got a form with a few text fields, and only today I noticed that when i tried copying some text from an email and pasting it into one of the fields, after submitting to the database (and printing the query), i noticed that the name sent had something extra.

Say "sweet" was the value in the field, then i saw "sweet\r\n" being sent to the db table. What i'm wondering is how can i remove any extra non printing characters such as these? I was thinking of using this regexp - "\r{0,1}\n" which so far seems to take out "\r\n" at least but just in case any 'weird stuff' gets copied/pasted into a field i would like to make sure it's removed and just the text itself is sent.

Thanks in advance for any advice/help

Similar Threads

Threading/Busy Waiting in Java

ray_broome

Reputation Points: 10

Solved Threads: 0

Light Poster

Offline

25 posts
since Aug 2004

Permalink

May 16th, 2008

Re: Remove Non Printing Characters From Text

To remove all ascii non-printable characters you would want to remove decimal values 0-31 & 127. This should remove most funky characters.

blufab

Reputation Points: 10

Solved Threads: 1

Light Poster

Offline

29 posts
since Mar 2007

Permalink

May 16th, 2008

Re: Remove Non Printing Characters From Text

PHP Syntax (Toggle Plain Text)
$formvar = preg_replace("/[^\w\d]/g","",$formvar);
$formvar = preg_replace("/[^\w\d]/g","",$formvar);

inside the brackets add any special characters you want to allow. example:
[^\w\d\-\@\.\&\n ] (note the unescaped space)

A whitelist is far more powerful than just removing characters you think are bad. It's future proof.

This regex tells preg it wants to replace everything except the characters listed after the carat. In a bracketed character list carat means "anything except the following".
\w = word characters
\d = numeric digits
the rest are just escaped individual characters.

For address data like "apt. #305". You can do a regex in front of the one I gave that converts "#" to "number" or don't do anything before to let the above just remove it.

PHP Syntax (Toggle Plain Text)
$formvar = preg_replace("/\#/g","number",$formvar);
$formvar = preg_replace("/\#/g","number",$formvar);

Also remember that you can't do:

PHP Syntax (Toggle Plain Text)
$_POST['formvar'] = preg_replace("/\#/g","number",$_POST['formvar']);
$_POST['formvar'] = preg_replace("/\#/g","number",$_POST['formvar']);

because this array is immutable. but

PHP Syntax (Toggle Plain Text)
$formvar = preg_replace("/\#/g","number",$_POST['formvar']);
$formvar = preg_replace("/\#/g","number",$_POST['formvar']);

would work.

By not allowing ; or # you also break encoded characters on query string or POST which is a good measure to help break XSS. By not allowing ' or " and ; you help break sql injections, though you should also use the functions for filtering query data. The &'s used for argument separation aren't affected since these are not included in the data when you read them for php.

Default deny for the win. You may need to do a few tweaks if you discover stuff getting scrubbed that shouldn't be, but it's way more secure than doing it the other way.

-r

rgviza

Reputation Points: 18

Solved Threads: 5

Light Poster

Offline

31 posts
since May 2008

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: Notification sent to the System Administrator when submit btn is clicked

Next Thread in PHP Forum Timeline: $_server['script_name']

DaniWeb Message

Cancel Changes

User Name
Password