Hi,

I've got a form with a few text fields, and only today I noticed that when i tried copying some text from an email and pasting it into one of the fields, after submitting to the database (and printing the query), i noticed that the name sent had something extra.

Say "sweet" was the value in the field, then i saw "sweet\r\n" being sent to the db table. What i'm wondering is how can i remove any extra non printing characters such as these? I was thinking of using this regexp - "\r{0,1}\n" which so far seems to take out "\r\n" at least but just in case any 'weird stuff' gets copied/pasted into a field i would like to make sure it's removed and just the text itself is sent.

Thanks in advance for any advice/help

To remove all ascii non-printable characters you would want to remove decimal values 0-31 & 127. This should remove most funky characters.

$formvar = preg_replace("/[^\w\d]/g","",$formvar);

inside the brackets add any special characters you want to allow. example:
[^\w\d\-\@\.\&\n ] (note the unescaped space)

A whitelist is far more powerful than just removing characters you think are bad. It's future proof.

This regex tells preg it wants to replace everything except the characters listed after the carat. In a bracketed character list carat means "anything except the following".
\w = word characters
\d = numeric digits
the rest are just escaped individual characters.

For address data like "apt. #305". You can do a regex in front of the one I gave that converts "#" to "number" or don't do anything before to let the above just remove it.

$formvar = preg_replace("/\#/g","number",$formvar);

Also remember that you can't do:

$_POST['formvar'] = preg_replace("/\#/g","number",$_POST['formvar']);

because this array is immutable. but

$formvar = preg_replace("/\#/g","number",$_POST['formvar']);

would work.

By not allowing ; or # you also break encoded characters on query string or POST which is a good measure to help break XSS. By not allowing ' or " and ; you help break sql injections, though you should also use the functions for filtering query data. The &'s used for argument separation aren't affected since these are not included in the data when you read them for php.

Default deny for the win. You may need to do a few tweaks if you discover stuff getting scrubbed that shouldn't be, but it's way more secure than doing it the other way.

-r

This article has been dead for over six months. Start a new discussion instead.