#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    33
    Rep Power
    2

    String replace related info


    Hi:

    I need to know how to remove all the unwanted characters from a user input. In particular, I just want to keep . (period) and single spaces between the names and replace '&' with the word 'and' when a user inputs information in the name field on the form. In stead of giving an error and asking the user to repeat entry of the name and imposing many rules on the input, I simply want to filter the input and keep expected characters and remove all other characters (or alternately replace them with '' (nothing)). I want to do this because, in spite all the rules, there can be human errors with the keyboard when the input is provided by the user and hence this idea of filtering out the info for A-Z, a-z, ., and & (to be replaced by the word 'and') and if possible '(' and ')' braces too for words like (Retd.) which many a times people end up writing for 'Retired' in the name field. Can you please suggest what to do? I had written the following For loop (which now looks absolutely juvenile to me!) and while running the script with this For loop, I got the error of 'Time out' on the local development server as well as the actual web server where my software is being used (quite logical as it must be taking time to run through the loop!). The main reason of me wanting to filter out the data is not to waste any time of the user by forcing to repeat the data entry and also save myself from SQL injection threat so that dicey characters like '&' don't stay in the user input and are removed promptly while updating the database with the user provided info.

    PHP Code:
    for($i=0$i<=255$i++) {
      if (
    $i<32) {
       
    $sname=str_replace(chr($i),"",$sname);
      }
      if (
    $i>32 and $i<38) {
       
    $sname=str_replace(chr($i),"",$sname);
      }
      if (
    $i=38) {
       
    $sname=str_replace(chr($i),"and",$sname);
      }
      if (
    $i>38 and $i<40) {
       
    $sname=str_replace(chr($i),"",$sname);
      }
      if (
    $i>41 and $i<46) {
       
    $sname=str_replace(chr($i),"",$sname);
      }
      if (
    $i>46 and $i<65) {
       
    $sname=str_replace(chr($i),"",$sname);
      }
      if (
    $i>90 and $i<97) {
       
    $ud_sname=str_replace(chr($i),"",$ud_sname);
      }
      if (
    $i>=123) {
       
    $sname=str_replace(chr($i),"",$sname);
      }
     } 
    I know this question must have been asked before too, but unfortunately I can not locate the problem and the solution that closely resembles my problem. I would be also grateful if the forum is arranged in such as way that it is easier to search for a particular type of question and find any previous answers. Also would greatly appreciate if I can get to know the difference between str_replace() and preg_replace() and which one is better. I am relatively new to the forum and PHP and have been learning PHP on my own!

    Thanks in advance for all your help! It is truly appreciated!
    Mozart66
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    that's an ... interesting approach.

    However, you should never rely on home-made filtering to prevent SQL injections. Use prepared statements. If that's not possible, use the escaping method provided by your database extension (as described in the linked post).

    PHP also isn't that stupid that you'd have to go through the ASCII table by hand.

    However, I question this whole approach of silently changing the user input. I think this is a usability killer. When I input something, I expect it to either be accepted like it is or rejected with an exact error message so that I can change it accordingly. I do not want the website to "guess" what I mean and change the input without my agreement (maybe even without me knowing it).

    Instead, simply tell the user which characters he's allowed to use. And possibly add live validation (with JavaScript) so that errors can be corrected immediately.

    You should also consider using an international character set (namely Unicode) and loosening the filtering rules. Names -- assuming you mean persons -- can very well contain hyphens, diacritics ("Müller", "Fernández") etc.

    If you insist on your original idea, use regular expressions to delete the unwanted characters:
    PHP Code:
    $sname str_replace('&''and'$sname);                    // replace "&" with "and"
    $sname preg_replace('/[^a-zA-Z.\\s]/'''$sname);        // delete everything except a-zA-Z, the colon and spaces 
    Last edited by Jacques1; February 12th, 2013 at 04:34 AM.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    33
    Rep Power
    2
    Thank you so much!!

    As for my "interesting" approach, this is a customized requirement of the client where the end-user's level of even general understanding and computer-savvy traits are sorely lacking, if not totally missing!! This software that I am designing in PHP/MySQL is for the purpose of in-house use of an organization where only a handful people will be operating it AND given their track record of keyboard usage, it was the only solution that struck me! More for saving them from recording the blunders! Had I been designing an international level PHP programs / software, this would certainly not have been my approach! I assure you! I came to this conclusion only after studying the actual data, the psyche of the end-users, their exposure to computers and many other non-programming aspects!! But thank you so much for being astute! I truly appreciate that!
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    OK, in that case I understand your solution.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo