replacing multiple characters in a string

I'm learning PHP and have a question...

I want to remove some characters from form input. Using this:

$comment = str_replace('example', 'Example', $comment);

works great, but how would I replace more than one charcter or string? Would it be done with an array? I knew how to with Perl, but I can't find the equivilent in PHP.



Also, for security purposes, would removing characters like ";<>&*~|#" from the form input be a good start in keeping my forms less open to sneaky coders? Maybe replacing those characters with the ISO character set numbers? This is for a guestbook-type page, so I feel that high security isn't that necessary for the file the input is being written to. I just don't want people to be able to screw around with other files via the form.

Any tips?

You can do this with an array, by using something like
$comment = str_replace(array('"', ';', '<', 'etc'), '', $comment)

Most people would use a regular expression, which is kind of a can of worms in and of itself, but if you have a perl background it shouldn't be too bad:

$comment = preg_replace('/[";<>&*~|#]/', '', $comment)

Or, better in most cases for this purpose, use a negated character class:

$comment = preg_replace('/[^a-z0-9]/i', '', $comment)

which blanks everything that's not a letter (/i is the case insensitive switch) or a number

Ralph...

Your bottom 2 examples look pretty familiar so I think I know what to do.

Is there a difference in preg_replace and str_replace?

Thanks for the response.

Yeah, str_replace only replaces a literal string, preg_replace allows regular expressions (http://regularexpressions.info).

Thanks again for the info & link!

Yeah, str_replace only replaces a literal string

incorrect
$phrase = "You should eat fruits, vegetables, and fiber every day.";
$healthy = array("fruits", "vegetables", "fiber");
$yummy = array("pizza", "beer", "ice cream");

$newphrase = str_replace($healthy, $yummy, $phrase);

although I would personally go with preg_replace..

fci,

I had witten this as a reg expression in Perl already, and it looks like it should work fine with a little modification. Thanks for clearing up the array method of replacing those.

incorrect
If by incorrect you mean correct. That's an iterative replacement of string literals. Also, I included that method in my first post. ;)

If by incorrect you mean correct. That's an iterative replacement of string literals. Also, I included that method in my first post. ;)


...and is much faster than preg_* , use str_replace where you can.

...and is much faster than preg_* , use str_replace where you can.
True, if your web app is somehow bottlenecked by form validation. I stand by my recommendation of a negated regular expression character set, as default denial is more secure.