Remove all html special chars












0















Before saving the input from users in the database, I am using the below function to replace all HTML special chars. All my users will always be using the English Language.



Option 1



function clean($var) {

  $regEx="/[^a-zA-Z0-9 -_]/"; 

  $var = preg_replace($regEx, "", $var);

  return $var;

}


I want users to be able to only store




  • Letters (a to z) (Case Insensitive)

  • Numbers (0 to 9)

  • Space, Dash, Underscore


Will the above function is good for this job, or should I be using a more efficient/inbuilt function in PHP?



This is how I am using the function.



$userInput = htmlspecialchars(clean($userInput));


Option 2



function h($str_to_encode = ""){

    // Pregmatch will replacte all HTML characters with Empty string

    return preg_replace("/&#?[a-z0-9]{2,8};/i","", htmlspecialchars($str_to_encode));

}


Regex from : https://stackoverflow.com/a/657670/4050261






php html regex comparative-review







share|improve this question




















  • 3





    "All my users will always be using the English language." doesn't imply that only the letters from a-z are valid. Take a look at this: English words with diacritics.

    – insertusernamehere
    Feb 2 '18 at 10:32













  • You haven't told us much about why you're doing this, but I get the sense that this is almost certainly the wrong thing to do.

    – 200_success
    Feb 2 '18 at 15:03











  • @200_success, since it is a small project, want to reduce functionality for better security.

    – Adarsh
    Feb 2 '18 at 19:42
















0















Before saving the input from users in the database, I am using the below function to replace all HTML special chars. All my users will always be using the English Language.



Option 1



function clean($var) {

  $regEx="/[^a-zA-Z0-9 -_]/"; 

  $var = preg_replace($regEx, "", $var);

  return $var;

}


I want users to be able to only store




  • Letters (a to z) (Case Insensitive)

  • Numbers (0 to 9)

  • Space, Dash, Underscore


Will the above function is good for this job, or should I be using a more efficient/inbuilt function in PHP?



This is how I am using the function.



$userInput = htmlspecialchars(clean($userInput));


Option 2



function h($str_to_encode = ""){

    // Pregmatch will replacte all HTML characters with Empty string

    return preg_replace("/&#?[a-z0-9]{2,8};/i","", htmlspecialchars($str_to_encode));

}


Regex from : https://stackoverflow.com/a/657670/4050261






php html regex comparative-review







share|improve this question




















  • 3





    "All my users will always be using the English language." doesn't imply that only the letters from a-z are valid. Take a look at this: English words with diacritics.

    – insertusernamehere
    Feb 2 '18 at 10:32













  • You haven't told us much about why you're doing this, but I get the sense that this is almost certainly the wrong thing to do.

    – 200_success
    Feb 2 '18 at 15:03











  • @200_success, since it is a small project, want to reduce functionality for better security.

    – Adarsh
    Feb 2 '18 at 19:42














0












0








0








Before saving the input from users in the database, I am using the below function to replace all HTML special chars. All my users will always be using the English Language.



Option 1



function clean($var) {

  $regEx="/[^a-zA-Z0-9 -_]/"; 

  $var = preg_replace($regEx, "", $var);

  return $var;

}


I want users to be able to only store




  • Letters (a to z) (Case Insensitive)

  • Numbers (0 to 9)

  • Space, Dash, Underscore


Will the above function is good for this job, or should I be using a more efficient/inbuilt function in PHP?



This is how I am using the function.



$userInput = htmlspecialchars(clean($userInput));


Option 2



function h($str_to_encode = ""){

    // Pregmatch will replacte all HTML characters with Empty string

    return preg_replace("/&#?[a-z0-9]{2,8};/i","", htmlspecialchars($str_to_encode));

}


Regex from : https://stackoverflow.com/a/657670/4050261






php html regex comparative-review







share|improve this question
















Before saving the input from users in the database, I am using the below function to replace all HTML special chars. All my users will always be using the English Language.



Option 1



function clean($var) {

  $regEx="/[^a-zA-Z0-9 -_]/"; 

  $var = preg_replace($regEx, "", $var);

  return $var;

}


I want users to be able to only store




  • Letters (a to z) (Case Insensitive)

  • Numbers (0 to 9)

  • Space, Dash, Underscore


Will the above function is good for this job, or should I be using a more efficient/inbuilt function in PHP?



This is how I am using the function.



$userInput = htmlspecialchars(clean($userInput));


Option 2



function h($str_to_encode = ""){

    // Pregmatch will replacte all HTML characters with Empty string

    return preg_replace("/&#?[a-z0-9]{2,8};/i","", htmlspecialchars($str_to_encode));

}


Regex from : https://stackoverflow.com/a/657670/4050261






php html regex comparative-review




php html regex comparative-review






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 2 '18 at 14:56









200_success

129k15152414




129k15152414










asked Feb 2 '18 at 9:56









AdarshAdarsh

1465




1465








  • 3





    "All my users will always be using the English language." doesn't imply that only the letters from a-z are valid. Take a look at this: English words with diacritics.

    – insertusernamehere
    Feb 2 '18 at 10:32













  • You haven't told us much about why you're doing this, but I get the sense that this is almost certainly the wrong thing to do.

    – 200_success
    Feb 2 '18 at 15:03











  • @200_success, since it is a small project, want to reduce functionality for better security.

    – Adarsh
    Feb 2 '18 at 19:42














  • 3





    "All my users will always be using the English language." doesn't imply that only the letters from a-z are valid. Take a look at this: English words with diacritics.

    – insertusernamehere
    Feb 2 '18 at 10:32













  • You haven't told us much about why you're doing this, but I get the sense that this is almost certainly the wrong thing to do.

    – 200_success
    Feb 2 '18 at 15:03











  • @200_success, since it is a small project, want to reduce functionality for better security.

    – Adarsh
    Feb 2 '18 at 19:42








3




3





"All my users will always be using the English language." doesn't imply that only the letters from a-z are valid. Take a look at this: English words with diacritics.

– insertusernamehere
Feb 2 '18 at 10:32







"All my users will always be using the English language." doesn't imply that only the letters from a-z are valid. Take a look at this: English words with diacritics.

– insertusernamehere
Feb 2 '18 at 10:32















You haven't told us much about why you're doing this, but I get the sense that this is almost certainly the wrong thing to do.

– 200_success
Feb 2 '18 at 15:03





You haven't told us much about why you're doing this, but I get the sense that this is almost certainly the wrong thing to do.

– 200_success
Feb 2 '18 at 15:03













@200_success, since it is a small project, want to reduce functionality for better security.

– Adarsh
Feb 2 '18 at 19:42





@200_success, since it is a small project, want to reduce functionality for better security.

– Adarsh
Feb 2 '18 at 19:42










2 Answers
2






active

oldest

votes


















1














Your regex [^a-zA-Z0-9 -_] matches everything that is not a to z, A to Z, 0 to 9 and space to _, this last range includes all character between hexa020 and hexa5F (ie for example !, ", #, $, % and many other), in a character class, - must be escaped or place at the beginning or at the end like:




  • [^a-zA-Z0-9 -_]

  • [^a-zA-Z0-9 _-]

  • [^-a-zA-Z0-9 _]


That said, you can simplify a bit:



[a-zA-Z0-9_] can be coded as w (depending on locale), so your regex becomes [^w -].



If you want to be unicode compatible, use:



[^pLpN_ -] where pL stands for any letter in any laguage and pN for any digit.






share|improve this answer



















  • 1





    You can also put the hyphen after a range or a shorthand character class: [^a-z-A-Z0-9 _], [^a-zA-Z-0-9 _], [^pL-pN_ ]. It's ugly, but possible...

    – Casimir et Hippolyte
    Feb 3 '18 at 20:52



















0














Similar to Toto's answer, I recommend:



function clean($var) {

    return preg_replace("~[^w -]+~", "", $var);

}


This will replace all occurrences of one or more consecutive forbidden characters.



Adding the "one or more" (+) quantifier means longer potential matches and fewer total replacements. IOW, imagine a carton of a dozen eggs on yhe ground. If the task was to pick up 12 eggs, you could squat 12 times picking them up one at a time, or just squat once and pickup the carton.



I have eliminated the unnecessary inclusion of "single-use variables" as there is no benefit in retaining them for readability.



Following this custom function call, the call of htmlspecialchars() is useless because there won't be any chars to convert.



On the other hand, if you wanted to call htmlspecialchars_decode() prior to clean() there is reasonable logic to that decision, but it depends on the input that you are expecting.






share|improve this answer

























    Your Answer





    StackExchange.ifUsing("editor", function () {
    return StackExchange.using("mathjaxEditing", function () {
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
    });
    });
    }, "mathjax-editing");

    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "196"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f186587%2fremove-all-html-special-chars%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Your regex [^a-zA-Z0-9 -_] matches everything that is not a to z, A to Z, 0 to 9 and space to _, this last range includes all character between hexa020 and hexa5F (ie for example !, ", #, $, % and many other), in a character class, - must be escaped or place at the beginning or at the end like:




    • [^a-zA-Z0-9 -_]

    • [^a-zA-Z0-9 _-]

    • [^-a-zA-Z0-9 _]


    That said, you can simplify a bit:



    [a-zA-Z0-9_] can be coded as w (depending on locale), so your regex becomes [^w -].



    If you want to be unicode compatible, use:



    [^pLpN_ -] where pL stands for any letter in any laguage and pN for any digit.






    share|improve this answer



















    • 1





      You can also put the hyphen after a range or a shorthand character class: [^a-z-A-Z0-9 _], [^a-zA-Z-0-9 _], [^pL-pN_ ]. It's ugly, but possible...

      – Casimir et Hippolyte
      Feb 3 '18 at 20:52
















    1














    Your regex [^a-zA-Z0-9 -_] matches everything that is not a to z, A to Z, 0 to 9 and space to _, this last range includes all character between hexa020 and hexa5F (ie for example !, ", #, $, % and many other), in a character class, - must be escaped or place at the beginning or at the end like:




    • [^a-zA-Z0-9 -_]

    • [^a-zA-Z0-9 _-]

    • [^-a-zA-Z0-9 _]


    That said, you can simplify a bit:



    [a-zA-Z0-9_] can be coded as w (depending on locale), so your regex becomes [^w -].



    If you want to be unicode compatible, use:



    [^pLpN_ -] where pL stands for any letter in any laguage and pN for any digit.






    share|improve this answer



















    • 1





      You can also put the hyphen after a range or a shorthand character class: [^a-z-A-Z0-9 _], [^a-zA-Z-0-9 _], [^pL-pN_ ]. It's ugly, but possible...

      – Casimir et Hippolyte
      Feb 3 '18 at 20:52














    1












    1








    1







    Your regex [^a-zA-Z0-9 -_] matches everything that is not a to z, A to Z, 0 to 9 and space to _, this last range includes all character between hexa020 and hexa5F (ie for example !, ", #, $, % and many other), in a character class, - must be escaped or place at the beginning or at the end like:




    • [^a-zA-Z0-9 -_]

    • [^a-zA-Z0-9 _-]

    • [^-a-zA-Z0-9 _]


    That said, you can simplify a bit:



    [a-zA-Z0-9_] can be coded as w (depending on locale), so your regex becomes [^w -].



    If you want to be unicode compatible, use:



    [^pLpN_ -] where pL stands for any letter in any laguage and pN for any digit.






    share|improve this answer













    Your regex [^a-zA-Z0-9 -_] matches everything that is not a to z, A to Z, 0 to 9 and space to _, this last range includes all character between hexa020 and hexa5F (ie for example !, ", #, $, % and many other), in a character class, - must be escaped or place at the beginning or at the end like:




    • [^a-zA-Z0-9 -_]

    • [^a-zA-Z0-9 _-]

    • [^-a-zA-Z0-9 _]


    That said, you can simplify a bit:



    [a-zA-Z0-9_] can be coded as w (depending on locale), so your regex becomes [^w -].



    If you want to be unicode compatible, use:



    [^pLpN_ -] where pL stands for any letter in any laguage and pN for any digit.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Feb 2 '18 at 13:05









    TotoToto

    5391613




    5391613








    • 1





      You can also put the hyphen after a range or a shorthand character class: [^a-z-A-Z0-9 _], [^a-zA-Z-0-9 _], [^pL-pN_ ]. It's ugly, but possible...

      – Casimir et Hippolyte
      Feb 3 '18 at 20:52














    • 1





      You can also put the hyphen after a range or a shorthand character class: [^a-z-A-Z0-9 _], [^a-zA-Z-0-9 _], [^pL-pN_ ]. It's ugly, but possible...

      – Casimir et Hippolyte
      Feb 3 '18 at 20:52








    1




    1





    You can also put the hyphen after a range or a shorthand character class: [^a-z-A-Z0-9 _], [^a-zA-Z-0-9 _], [^pL-pN_ ]. It's ugly, but possible...

    – Casimir et Hippolyte
    Feb 3 '18 at 20:52





    You can also put the hyphen after a range or a shorthand character class: [^a-z-A-Z0-9 _], [^a-zA-Z-0-9 _], [^pL-pN_ ]. It's ugly, but possible...

    – Casimir et Hippolyte
    Feb 3 '18 at 20:52













    0














    Similar to Toto's answer, I recommend:



    function clean($var) {
    
    return preg_replace("~[^w -]+~", "", $var);
    
}


    This will replace all occurrences of one or more consecutive forbidden characters.



    Adding the "one or more" (+) quantifier means longer potential matches and fewer total replacements. IOW, imagine a carton of a dozen eggs on yhe ground. If the task was to pick up 12 eggs, you could squat 12 times picking them up one at a time, or just squat once and pickup the carton.



    I have eliminated the unnecessary inclusion of "single-use variables" as there is no benefit in retaining them for readability.



    Following this custom function call, the call of htmlspecialchars() is useless because there won't be any chars to convert.



    On the other hand, if you wanted to call htmlspecialchars_decode() prior to clean() there is reasonable logic to that decision, but it depends on the input that you are expecting.






    share|improve this answer






























      0














      Similar to Toto's answer, I recommend:



      function clean($var) {
      
    return preg_replace("~[^w -]+~", "", $var);
      
}


      This will replace all occurrences of one or more consecutive forbidden characters.



      Adding the "one or more" (+) quantifier means longer potential matches and fewer total replacements. IOW, imagine a carton of a dozen eggs on yhe ground. If the task was to pick up 12 eggs, you could squat 12 times picking them up one at a time, or just squat once and pickup the carton.



      I have eliminated the unnecessary inclusion of "single-use variables" as there is no benefit in retaining them for readability.



      Following this custom function call, the call of htmlspecialchars() is useless because there won't be any chars to convert.



      On the other hand, if you wanted to call htmlspecialchars_decode() prior to clean() there is reasonable logic to that decision, but it depends on the input that you are expecting.






      share|improve this answer




























        0












        0








        0







        Similar to Toto's answer, I recommend:



        function clean($var) {
        
    return preg_replace("~[^w -]+~", "", $var);
        
}


        This will replace all occurrences of one or more consecutive forbidden characters.



        Adding the "one or more" (+) quantifier means longer potential matches and fewer total replacements. IOW, imagine a carton of a dozen eggs on yhe ground. If the task was to pick up 12 eggs, you could squat 12 times picking them up one at a time, or just squat once and pickup the carton.



        I have eliminated the unnecessary inclusion of "single-use variables" as there is no benefit in retaining them for readability.



        Following this custom function call, the call of htmlspecialchars() is useless because there won't be any chars to convert.



        On the other hand, if you wanted to call htmlspecialchars_decode() prior to clean() there is reasonable logic to that decision, but it depends on the input that you are expecting.






        share|improve this answer















        Similar to Toto's answer, I recommend:



        function clean($var) {
        
    return preg_replace("~[^w -]+~", "", $var);
        
}


        This will replace all occurrences of one or more consecutive forbidden characters.



        Adding the "one or more" (+) quantifier means longer potential matches and fewer total replacements. IOW, imagine a carton of a dozen eggs on yhe ground. If the task was to pick up 12 eggs, you could squat 12 times picking them up one at a time, or just squat once and pickup the carton.



        I have eliminated the unnecessary inclusion of "single-use variables" as there is no benefit in retaining them for readability.



        Following this custom function call, the call of htmlspecialchars() is useless because there won't be any chars to convert.



        On the other hand, if you wanted to call htmlspecialchars_decode() prior to clean() there is reasonable logic to that decision, but it depends on the input that you are expecting.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 11 mins ago

























        answered 16 mins ago









        mickmackusamickmackusa

        1,057112




        1,057112






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Code Review Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f186587%2fremove-all-html-special-chars%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Morgemoulin

            Image
            Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré
            Read more

            Scott Moir

            Image
            Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S
            Read more

            Souastre

            Image
            Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe
            Read more