...

View Full Version : replacing multiple characters in a string



JeremyH
05-02-2006, 06:29 PM
I'm learning PHP and have a question...

I want to remove some characters from form input. Using this:

$comment = str_replace('example', 'Example', $comment);

works great, but how would I replace more than one charcter or string? Would it be done with an array? I knew how to with Perl, but I can't find the equivilent in PHP.



Also, for security purposes, would removing characters like ";<>&*~|#" from the form input be a good start in keeping my forms less open to sneaky coders? Maybe replacing those characters with the ISO character set numbers? This is for a guestbook-type page, so I feel that high security isn't that necessary for the file the input is being written to. I just don't want people to be able to screw around with other files via the form.

Any tips?

ralph l mayo
05-02-2006, 06:44 PM
You can do this with an array, by using something like
$comment = str_replace(array('"', ';', '<', 'etc'), '', $comment)

Most people would use a regular expression, which is kind of a can of worms in and of itself, but if you have a perl background it shouldn't be too bad:

$comment = preg_replace('/[";<>&*~|#]/', '', $comment)

Or, better in most cases for this purpose, use a negated character class:

$comment = preg_replace('/[^a-z0-9]/i', '', $comment)

which blanks everything that's not a letter (/i is the case insensitive switch) or a number

JeremyH
05-02-2006, 07:15 PM
Ralph...

Your bottom 2 examples look pretty familiar so I think I know what to do.

Is there a difference in preg_replace and str_replace?

Thanks for the response.

ralph l mayo
05-02-2006, 07:21 PM
Yeah, str_replace only replaces a literal string, preg_replace allows regular expressions (http://regularexpressions.info).

JeremyH
05-02-2006, 08:54 PM
Thanks again for the info & link!

fci
05-02-2006, 09:39 PM
Yeah, str_replace only replaces a literal string

incorrect

$phrase = "You should eat fruits, vegetables, and fiber every day.";
$healthy = array("fruits", "vegetables", "fiber");
$yummy = array("pizza", "beer", "ice cream");

$newphrase = str_replace($healthy, $yummy, $phrase);

although I would personally go with preg_replace..

JeremyH
05-02-2006, 10:32 PM
fci,

I had witten this as a reg expression in Perl already, and it looks like it should work fine with a little modification. Thanks for clearing up the array method of replacing those.

ralph l mayo
05-02-2006, 11:33 PM
incorrect
If by incorrect you mean correct. That's an iterative replacement of string literals. Also, I included that method in my first post. ;)

firepages
05-03-2006, 12:23 AM
If by incorrect you mean correct. That's an iterative replacement of string literals. Also, I included that method in my first post. ;)


...and is much faster than preg_* , use str_replace where you can.

ralph l mayo
05-03-2006, 01:50 AM
...and is much faster than preg_* , use str_replace where you can.
True, if your web app is somehow bottlenecked by form validation. I stand by my recommendation of a negated regular expression character set, as default denial is more secure.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum