Secure unicode regex in PHP for text field submissions












1















I am currently using a PHP form processing code that accepts text field submissions. My code is this: 



function checkInput($f) {

    $f = strtr($f, array('Š' => 'S','Ž' => 'Z','š' => 's','ž' => 'z','Ÿ' => 'Y','À' => 'A','Á' => 'A','Â' => 'A','Ã' => 'A','Ä' => 'A','Å' => 'A','Ç' => 'C','È' => 'E'));  

    $f = strtr($f, array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));  

    $f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/'), array(' ', '...', '_'), $f);  

    return $f; 

}


This code checks characters with accents and replaced those with the 'regular' characters without accents. And the preg_replace line checks:

1. if there are 2 or more consecutive spaces, if yes: replace with 1 space;

2. if there are 4 or more consecutive dots, if yes: replace with 3 dots;

3. if there are any non-matching characters, if yes: replace those with an underscode (_);



I want to support unicode characters from other language, for example Cyrillic. Is it enough to just add a u in the preg_replace line? Example: 



$f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/u'), array(' ', '...', '_'), $f);


I am not sure if that is the way to go in terms of security. Please advise.



EDIT:

This regex seems to be working, it restricts allowed chars to the specified chars in the regex, but it does not allow non-Latin chars.. 



/^[a-z0-9.,:!?-_ ]+/iu


I want to allow chars: a through z (case insensitive), 0 through 9, . , : ! ? - _ white space and non-Latin chars.



EDIT2:

Ok now this seems to be working correctly in code: 



$rgx = '/[^a-z0-9-_.:,!?w ]+/iu';  

$f = preg_replace($rgx, "", $f);  

$f = preg_replace(array('#( ){2,}#', '#(.){4,}#'), array(' ', '...'), $f);  

return $f;


It allows chars a - z, digits, - _ . : , ! ? and non-Latin chars. And replaces any restricted characters like quotes " ' and semi-colons ; to prevent SQL injections.






php regex







share|improve this question

























  • u will make w Unicode aware and /[^w]/u will match any char that is not a Unicode letter, digit or _ (and some other chars). You probably want to replace '/[^w-_.:, ]+/u' with '/[^a-zA-Z0-9-_.:,s]+/'

    – Wiktor Stribiżew
    Nov 16 '18 at 11:04











  • Thanks, i have tested it: it allows cyrillic characters, but not latin chars. I have tested it here: rubular.com/r/yp6dhfehrl It is a ruby site, but PHP should work the same i think..

    – Nemdr
    Nov 16 '18 at 11:17











  • In your code, you are replacing with regex, and at rubular you are matching. PCRE is used in PHP regexps, not Onigmo (used in Rubular). Use regex101.com to test PHP regexps, it is the most user-friendly - IMHO - regex testing Web site for PCRE, JS, Python re and Go regexps.

    – Wiktor Stribiżew
    Nov 16 '18 at 11:20













  • Thanks, i have tested this regex on regex101, and this seems to be working: ^[a-zA-Z0-9-_.:,!?w ]+/u

    – Nemdr
    Nov 16 '18 at 11:29






  • 1





    I want allow chars: a-zA-Z0-9.,:!?_ - (white space) both Latin and non-Latin chars. Any char in string that is not allowed (not matched), must be replaced with "" (removed from string). This must be done in the entire string. Also I want to replace 2 or more consecutive white spaces with 1 space, etc. like in the preg_match example above. Example: "te-st in!p.ut" will not be changed. But: "test i@n';put" must be changed to: "test input". And: "test [a lot of space] input" changed to: "test input".

    – Nemdr
    Nov 16 '18 at 12:11


















1















I am currently using a PHP form processing code that accepts text field submissions. My code is this: 



function checkInput($f) {

    $f = strtr($f, array('Š' => 'S','Ž' => 'Z','š' => 's','ž' => 'z','Ÿ' => 'Y','À' => 'A','Á' => 'A','Â' => 'A','Ã' => 'A','Ä' => 'A','Å' => 'A','Ç' => 'C','È' => 'E'));  

    $f = strtr($f, array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));  

    $f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/'), array(' ', '...', '_'), $f);  

    return $f; 

}


This code checks characters with accents and replaced those with the 'regular' characters without accents. And the preg_replace line checks:

1. if there are 2 or more consecutive spaces, if yes: replace with 1 space;

2. if there are 4 or more consecutive dots, if yes: replace with 3 dots;

3. if there are any non-matching characters, if yes: replace those with an underscode (_);



I want to support unicode characters from other language, for example Cyrillic. Is it enough to just add a u in the preg_replace line? Example: 



$f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/u'), array(' ', '...', '_'), $f);


I am not sure if that is the way to go in terms of security. Please advise.



EDIT:

This regex seems to be working, it restricts allowed chars to the specified chars in the regex, but it does not allow non-Latin chars.. 



/^[a-z0-9.,:!?-_ ]+/iu


I want to allow chars: a through z (case insensitive), 0 through 9, . , : ! ? - _ white space and non-Latin chars.



EDIT2:

Ok now this seems to be working correctly in code: 



$rgx = '/[^a-z0-9-_.:,!?w ]+/iu';  

$f = preg_replace($rgx, "", $f);  

$f = preg_replace(array('#( ){2,}#', '#(.){4,}#'), array(' ', '...'), $f);  

return $f;


It allows chars a - z, digits, - _ . : , ! ? and non-Latin chars. And replaces any restricted characters like quotes " ' and semi-colons ; to prevent SQL injections.






php regex







share|improve this question

























  • u will make w Unicode aware and /[^w]/u will match any char that is not a Unicode letter, digit or _ (and some other chars). You probably want to replace '/[^w-_.:, ]+/u' with '/[^a-zA-Z0-9-_.:,s]+/'

    – Wiktor Stribiżew
    Nov 16 '18 at 11:04











  • Thanks, i have tested it: it allows cyrillic characters, but not latin chars. I have tested it here: rubular.com/r/yp6dhfehrl It is a ruby site, but PHP should work the same i think..

    – Nemdr
    Nov 16 '18 at 11:17











  • In your code, you are replacing with regex, and at rubular you are matching. PCRE is used in PHP regexps, not Onigmo (used in Rubular). Use regex101.com to test PHP regexps, it is the most user-friendly - IMHO - regex testing Web site for PCRE, JS, Python re and Go regexps.

    – Wiktor Stribiżew
    Nov 16 '18 at 11:20













  • Thanks, i have tested this regex on regex101, and this seems to be working: ^[a-zA-Z0-9-_.:,!?w ]+/u

    – Nemdr
    Nov 16 '18 at 11:29






  • 1





    I want allow chars: a-zA-Z0-9.,:!?_ - (white space) both Latin and non-Latin chars. Any char in string that is not allowed (not matched), must be replaced with "" (removed from string). This must be done in the entire string. Also I want to replace 2 or more consecutive white spaces with 1 space, etc. like in the preg_match example above. Example: "te-st in!p.ut" will not be changed. But: "test i@n';put" must be changed to: "test input". And: "test [a lot of space] input" changed to: "test input".

    – Nemdr
    Nov 16 '18 at 12:11
















1












1








1








I am currently using a PHP form processing code that accepts text field submissions. My code is this: 



function checkInput($f) {

    $f = strtr($f, array('Š' => 'S','Ž' => 'Z','š' => 's','ž' => 'z','Ÿ' => 'Y','À' => 'A','Á' => 'A','Â' => 'A','Ã' => 'A','Ä' => 'A','Å' => 'A','Ç' => 'C','È' => 'E'));  

    $f = strtr($f, array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));  

    $f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/'), array(' ', '...', '_'), $f);  

    return $f; 

}


This code checks characters with accents and replaced those with the 'regular' characters without accents. And the preg_replace line checks:

1. if there are 2 or more consecutive spaces, if yes: replace with 1 space;

2. if there are 4 or more consecutive dots, if yes: replace with 3 dots;

3. if there are any non-matching characters, if yes: replace those with an underscode (_);



I want to support unicode characters from other language, for example Cyrillic. Is it enough to just add a u in the preg_replace line? Example: 



$f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/u'), array(' ', '...', '_'), $f);


I am not sure if that is the way to go in terms of security. Please advise.



EDIT:

This regex seems to be working, it restricts allowed chars to the specified chars in the regex, but it does not allow non-Latin chars.. 



/^[a-z0-9.,:!?-_ ]+/iu


I want to allow chars: a through z (case insensitive), 0 through 9, . , : ! ? - _ white space and non-Latin chars.



EDIT2:

Ok now this seems to be working correctly in code: 



$rgx = '/[^a-z0-9-_.:,!?w ]+/iu';  

$f = preg_replace($rgx, "", $f);  

$f = preg_replace(array('#( ){2,}#', '#(.){4,}#'), array(' ', '...'), $f);  

return $f;


It allows chars a - z, digits, - _ . : , ! ? and non-Latin chars. And replaces any restricted characters like quotes " ' and semi-colons ; to prevent SQL injections.






php regex







share|improve this question
















I am currently using a PHP form processing code that accepts text field submissions. My code is this: 



function checkInput($f) {

    $f = strtr($f, array('Š' => 'S','Ž' => 'Z','š' => 's','ž' => 'z','Ÿ' => 'Y','À' => 'A','Á' => 'A','Â' => 'A','Ã' => 'A','Ä' => 'A','Å' => 'A','Ç' => 'C','È' => 'E'));  

    $f = strtr($f, array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));  

    $f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/'), array(' ', '...', '_'), $f);  

    return $f; 

}


This code checks characters with accents and replaced those with the 'regular' characters without accents. And the preg_replace line checks:

1. if there are 2 or more consecutive spaces, if yes: replace with 1 space;

2. if there are 4 or more consecutive dots, if yes: replace with 3 dots;

3. if there are any non-matching characters, if yes: replace those with an underscode (_);



I want to support unicode characters from other language, for example Cyrillic. Is it enough to just add a u in the preg_replace line? Example: 



$f = preg_replace(array('#( ){2,}#', '#(.){4,}#', '/[^w-_.:, ]+/u'), array(' ', '...', '_'), $f);


I am not sure if that is the way to go in terms of security. Please advise.



EDIT:

This regex seems to be working, it restricts allowed chars to the specified chars in the regex, but it does not allow non-Latin chars.. 



/^[a-z0-9.,:!?-_ ]+/iu


I want to allow chars: a through z (case insensitive), 0 through 9, . , : ! ? - _ white space and non-Latin chars.



EDIT2:

Ok now this seems to be working correctly in code: 



$rgx = '/[^a-z0-9-_.:,!?w ]+/iu';  

$f = preg_replace($rgx, "", $f);  

$f = preg_replace(array('#( ){2,}#', '#(.){4,}#'), array(' ', '...'), $f);  

return $f;


It allows chars a - z, digits, - _ . : , ! ? and non-Latin chars. And replaces any restricted characters like quotes " ' and semi-colons ; to prevent SQL injections.






php regex




php regex






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 16 '18 at 12:54







Nemdr

















asked Nov 16 '18 at 10:46









NemdrNemdr

134




134













  • u will make w Unicode aware and /[^w]/u will match any char that is not a Unicode letter, digit or _ (and some other chars). You probably want to replace '/[^w-_.:, ]+/u' with '/[^a-zA-Z0-9-_.:,s]+/'

    – Wiktor Stribiżew
    Nov 16 '18 at 11:04











  • Thanks, i have tested it: it allows cyrillic characters, but not latin chars. I have tested it here: rubular.com/r/yp6dhfehrl It is a ruby site, but PHP should work the same i think..

    – Nemdr
    Nov 16 '18 at 11:17











  • In your code, you are replacing with regex, and at rubular you are matching. PCRE is used in PHP regexps, not Onigmo (used in Rubular). Use regex101.com to test PHP regexps, it is the most user-friendly - IMHO - regex testing Web site for PCRE, JS, Python re and Go regexps.

    – Wiktor Stribiżew
    Nov 16 '18 at 11:20













  • Thanks, i have tested this regex on regex101, and this seems to be working: ^[a-zA-Z0-9-_.:,!?w ]+/u

    – Nemdr
    Nov 16 '18 at 11:29






  • 1





    I want allow chars: a-zA-Z0-9.,:!?_ - (white space) both Latin and non-Latin chars. Any char in string that is not allowed (not matched), must be replaced with "" (removed from string). This must be done in the entire string. Also I want to replace 2 or more consecutive white spaces with 1 space, etc. like in the preg_match example above. Example: "te-st in!p.ut" will not be changed. But: "test i@n';put" must be changed to: "test input". And: "test [a lot of space] input" changed to: "test input".

    – Nemdr
    Nov 16 '18 at 12:11





















  • u will make w Unicode aware and /[^w]/u will match any char that is not a Unicode letter, digit or _ (and some other chars). You probably want to replace '/[^w-_.:, ]+/u' with '/[^a-zA-Z0-9-_.:,s]+/'

    – Wiktor Stribiżew
    Nov 16 '18 at 11:04











  • Thanks, i have tested it: it allows cyrillic characters, but not latin chars. I have tested it here: rubular.com/r/yp6dhfehrl It is a ruby site, but PHP should work the same i think..

    – Nemdr
    Nov 16 '18 at 11:17











  • In your code, you are replacing with regex, and at rubular you are matching. PCRE is used in PHP regexps, not Onigmo (used in Rubular). Use regex101.com to test PHP regexps, it is the most user-friendly - IMHO - regex testing Web site for PCRE, JS, Python re and Go regexps.

    – Wiktor Stribiżew
    Nov 16 '18 at 11:20













  • Thanks, i have tested this regex on regex101, and this seems to be working: ^[a-zA-Z0-9-_.:,!?w ]+/u

    – Nemdr
    Nov 16 '18 at 11:29






  • 1





    I want allow chars: a-zA-Z0-9.,:!?_ - (white space) both Latin and non-Latin chars. Any char in string that is not allowed (not matched), must be replaced with "" (removed from string). This must be done in the entire string. Also I want to replace 2 or more consecutive white spaces with 1 space, etc. like in the preg_match example above. Example: "te-st in!p.ut" will not be changed. But: "test i@n';put" must be changed to: "test input". And: "test [a lot of space] input" changed to: "test input".

    – Nemdr
    Nov 16 '18 at 12:11



















u will make w Unicode aware and /[^w]/u will match any char that is not a Unicode letter, digit or _ (and some other chars). You probably want to replace '/[^w-_.:, ]+/u' with '/[^a-zA-Z0-9-_.:,s]+/'

– Wiktor Stribiżew
Nov 16 '18 at 11:04





u will make w Unicode aware and /[^w]/u will match any char that is not a Unicode letter, digit or _ (and some other chars). You probably want to replace '/[^w-_.:, ]+/u' with '/[^a-zA-Z0-9-_.:,s]+/'

– Wiktor Stribiżew
Nov 16 '18 at 11:04













Thanks, i have tested it: it allows cyrillic characters, but not latin chars. I have tested it here: rubular.com/r/yp6dhfehrl It is a ruby site, but PHP should work the same i think..

– Nemdr
Nov 16 '18 at 11:17





Thanks, i have tested it: it allows cyrillic characters, but not latin chars. I have tested it here: rubular.com/r/yp6dhfehrl It is a ruby site, but PHP should work the same i think..

– Nemdr
Nov 16 '18 at 11:17













In your code, you are replacing with regex, and at rubular you are matching. PCRE is used in PHP regexps, not Onigmo (used in Rubular). Use regex101.com to test PHP regexps, it is the most user-friendly - IMHO - regex testing Web site for PCRE, JS, Python re and Go regexps.

– Wiktor Stribiżew
Nov 16 '18 at 11:20







In your code, you are replacing with regex, and at rubular you are matching. PCRE is used in PHP regexps, not Onigmo (used in Rubular). Use regex101.com to test PHP regexps, it is the most user-friendly - IMHO - regex testing Web site for PCRE, JS, Python re and Go regexps.

– Wiktor Stribiżew
Nov 16 '18 at 11:20















Thanks, i have tested this regex on regex101, and this seems to be working: ^[a-zA-Z0-9-_.:,!?w ]+/u

– Nemdr
Nov 16 '18 at 11:29





Thanks, i have tested this regex on regex101, and this seems to be working: ^[a-zA-Z0-9-_.:,!?w ]+/u

– Nemdr
Nov 16 '18 at 11:29




1




1





I want allow chars: a-zA-Z0-9.,:!?_ - (white space) both Latin and non-Latin chars. Any char in string that is not allowed (not matched), must be replaced with "" (removed from string). This must be done in the entire string. Also I want to replace 2 or more consecutive white spaces with 1 space, etc. like in the preg_match example above. Example: "te-st in!p.ut" will not be changed. But: "test i@n';put" must be changed to: "test input". And: "test [a lot of space] input" changed to: "test input".

– Nemdr
Nov 16 '18 at 12:11







I want allow chars: a-zA-Z0-9.,:!?_ - (white space) both Latin and non-Latin chars. Any char in string that is not allowed (not matched), must be replaced with "" (removed from string). This must be done in the entire string. Also I want to replace 2 or more consecutive white spaces with 1 space, etc. like in the preg_match example above. Example: "te-st in!p.ut" will not be changed. But: "test i@n';put" must be changed to: "test input". And: "test [a lot of space] input" changed to: "test input".

– Nemdr
Nov 16 '18 at 12:11














1 Answer
1






active

oldest

votes


















0














Allow me to clean up your Edit #2 patterns and suggest a single-call implementation.



Code: (Demo)



function sanitizer($string) {

    return preg_replace(['~[^p{L}p{N}_.:,!? -]+~u', '~ K +|.{3}K.+~'], '', $string);

}



$strings = [

    "1: Доброе утро - Dobraye ootro &       Good morning",

    "2: Добрый день => Dobriy den'....... (Good afternoon)"

];



foreach ($strings as $string) {

    echo sanitizer($string);

    echo "n---n";

}


Output:



1: Доброе утро- Dobraye ootro Good morning

---

2: Добрый день Dobriy den... Good afternoon

---


I could have written a single piped pattern for preg_replace() but I wanted to make two passes over the string. 1. to remove any invalid characters then 2. to remove excessively long character sequences that may or may not have been formed by the first pass.



Noteworthy pattern changes:




  1. [a-zA-Z0-9_] is more simply written as w however because you are using the u flag AND to prepare for PHP7.3's strict adherence to PCRE2, it is better two write out: p{L}p{N}_


  2. Avoid writing unnecessary slashes before characters without special meaning -- it only makes your pattern longer and harder to interpret. Character that normally have special meaning (like *, ?, +, etc) lose there special meaning inside of a character class [ ... ].


  3. Move your hyphen to the front or back of your negated character class to avoid the possibility of writing a range of character. (because your - came after a range of characters 0-9, this was a non-issue, but it is good advice to remember as a matter of best practice.


  4. K means "forget the previously matched substring" in other words, "start matching from here". This enables you to avoid a capture group and just truncate the unwanted characters by replacing the match with an empty string.



p.s. You should still run your strtr() calls as your original post has done.






share|improve this answer
























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53336286%2fsecure-unicode-regex-in-php-for-text-field-submissions%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Allow me to clean up your Edit #2 patterns and suggest a single-call implementation.



    Code: (Demo)



    function sanitizer($string) {
    
    return preg_replace(['~[^p{L}p{N}_.:,!? -]+~u', '~ K +|.{3}K.+~'], '', $string);
    
}
    

    
$strings = [
    
    "1: Доброе утро - Dobraye ootro &       Good morning",
    
    "2: Добрый день => Dobriy den'....... (Good afternoon)"
    
];
    

    
foreach ($strings as $string) {
    
    echo sanitizer($string);
    
    echo "n---n";
    
}


    Output:



    1: Доброе утро- Dobraye ootro Good morning
    
---
    
2: Добрый день Dobriy den... Good afternoon
    
---


    I could have written a single piped pattern for preg_replace() but I wanted to make two passes over the string. 1. to remove any invalid characters then 2. to remove excessively long character sequences that may or may not have been formed by the first pass.



    Noteworthy pattern changes:




    1. [a-zA-Z0-9_] is more simply written as w however because you are using the u flag AND to prepare for PHP7.3's strict adherence to PCRE2, it is better two write out: p{L}p{N}_


    2. Avoid writing unnecessary slashes before characters without special meaning -- it only makes your pattern longer and harder to interpret. Character that normally have special meaning (like *, ?, +, etc) lose there special meaning inside of a character class [ ... ].


    3. Move your hyphen to the front or back of your negated character class to avoid the possibility of writing a range of character. (because your - came after a range of characters 0-9, this was a non-issue, but it is good advice to remember as a matter of best practice.


    4. K means "forget the previously matched substring" in other words, "start matching from here". This enables you to avoid a capture group and just truncate the unwanted characters by replacing the match with an empty string.



    p.s. You should still run your strtr() calls as your original post has done.






    share|improve this answer




























      0














      Allow me to clean up your Edit #2 patterns and suggest a single-call implementation.



      Code: (Demo)



      function sanitizer($string) {
      
    return preg_replace(['~[^p{L}p{N}_.:,!? -]+~u', '~ K +|.{3}K.+~'], '', $string);
      
}
      

      
$strings = [
      
    "1: Доброе утро - Dobraye ootro &       Good morning",
      
    "2: Добрый день => Dobriy den'....... (Good afternoon)"
      
];
      

      
foreach ($strings as $string) {
      
    echo sanitizer($string);
      
    echo "n---n";
      
}


      Output:



      1: Доброе утро- Dobraye ootro Good morning
      
---
      
2: Добрый день Dobriy den... Good afternoon
      
---


      I could have written a single piped pattern for preg_replace() but I wanted to make two passes over the string. 1. to remove any invalid characters then 2. to remove excessively long character sequences that may or may not have been formed by the first pass.



      Noteworthy pattern changes:




      1. [a-zA-Z0-9_] is more simply written as w however because you are using the u flag AND to prepare for PHP7.3's strict adherence to PCRE2, it is better two write out: p{L}p{N}_


      2. Avoid writing unnecessary slashes before characters without special meaning -- it only makes your pattern longer and harder to interpret. Character that normally have special meaning (like *, ?, +, etc) lose there special meaning inside of a character class [ ... ].


      3. Move your hyphen to the front or back of your negated character class to avoid the possibility of writing a range of character. (because your - came after a range of characters 0-9, this was a non-issue, but it is good advice to remember as a matter of best practice.


      4. K means "forget the previously matched substring" in other words, "start matching from here". This enables you to avoid a capture group and just truncate the unwanted characters by replacing the match with an empty string.



      p.s. You should still run your strtr() calls as your original post has done.






      share|improve this answer


























        0












        0








        0







        Allow me to clean up your Edit #2 patterns and suggest a single-call implementation.



        Code: (Demo)



        function sanitizer($string) {
        
    return preg_replace(['~[^p{L}p{N}_.:,!? -]+~u', '~ K +|.{3}K.+~'], '', $string);
        
}
        

        
$strings = [
        
    "1: Доброе утро - Dobraye ootro &       Good morning",
        
    "2: Добрый день => Dobriy den'....... (Good afternoon)"
        
];
        

        
foreach ($strings as $string) {
        
    echo sanitizer($string);
        
    echo "n---n";
        
}


        Output:



        1: Доброе утро- Dobraye ootro Good morning
        
---
        
2: Добрый день Dobriy den... Good afternoon
        
---


        I could have written a single piped pattern for preg_replace() but I wanted to make two passes over the string. 1. to remove any invalid characters then 2. to remove excessively long character sequences that may or may not have been formed by the first pass.



        Noteworthy pattern changes:




        1. [a-zA-Z0-9_] is more simply written as w however because you are using the u flag AND to prepare for PHP7.3's strict adherence to PCRE2, it is better two write out: p{L}p{N}_


        2. Avoid writing unnecessary slashes before characters without special meaning -- it only makes your pattern longer and harder to interpret. Character that normally have special meaning (like *, ?, +, etc) lose there special meaning inside of a character class [ ... ].


        3. Move your hyphen to the front or back of your negated character class to avoid the possibility of writing a range of character. (because your - came after a range of characters 0-9, this was a non-issue, but it is good advice to remember as a matter of best practice.


        4. K means "forget the previously matched substring" in other words, "start matching from here". This enables you to avoid a capture group and just truncate the unwanted characters by replacing the match with an empty string.



        p.s. You should still run your strtr() calls as your original post has done.






        share|improve this answer













        Allow me to clean up your Edit #2 patterns and suggest a single-call implementation.



        Code: (Demo)



        function sanitizer($string) {
        
    return preg_replace(['~[^p{L}p{N}_.:,!? -]+~u', '~ K +|.{3}K.+~'], '', $string);
        
}
        

        
$strings = [
        
    "1: Доброе утро - Dobraye ootro &       Good morning",
        
    "2: Добрый день => Dobriy den'....... (Good afternoon)"
        
];
        

        
foreach ($strings as $string) {
        
    echo sanitizer($string);
        
    echo "n---n";
        
}


        Output:



        1: Доброе утро- Dobraye ootro Good morning
        
---
        
2: Добрый день Dobriy den... Good afternoon
        
---


        I could have written a single piped pattern for preg_replace() but I wanted to make two passes over the string. 1. to remove any invalid characters then 2. to remove excessively long character sequences that may or may not have been formed by the first pass.



        Noteworthy pattern changes:




        1. [a-zA-Z0-9_] is more simply written as w however because you are using the u flag AND to prepare for PHP7.3's strict adherence to PCRE2, it is better two write out: p{L}p{N}_


        2. Avoid writing unnecessary slashes before characters without special meaning -- it only makes your pattern longer and harder to interpret. Character that normally have special meaning (like *, ?, +, etc) lose there special meaning inside of a character class [ ... ].


        3. Move your hyphen to the front or back of your negated character class to avoid the possibility of writing a range of character. (because your - came after a range of characters 0-9, this was a non-issue, but it is good advice to remember as a matter of best practice.


        4. K means "forget the previously matched substring" in other words, "start matching from here". This enables you to avoid a capture group and just truncate the unwanted characters by replacing the match with an empty string.



        p.s. You should still run your strtr() calls as your original post has done.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 16 '18 at 15:21









        mickmackusamickmackusa

        23.4k103658




        23.4k103658
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53336286%2fsecure-unicode-regex-in-php-for-text-field-submissions%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            List item for chat from Array inside array React Native

            Image
            0 This is my code for Chat Box, the window where I have "In" and "Out" messages are appearing. import React, { Component } from "react"; import { StyleSheet, Text, View, TouchableOpacity, TextInput, FlatList, Platform, AsyncStorage } from "react-native"; import Tutor from "../image/krutika.jpg"; import { Container, Header, Left, Input, Body, Right, Thumbnail, Button } from "native-base"; import FontAwesome from "react-native-vector-icons/FontAwesome"; import Ionicons from "react-native-vector-icons/Ionicons"; import Icon1 from "react-native-vector-icons/FontAwesome"; import axios from "axios"; export default class ChatBox extends Component { st...
            Read more

            Thiostrepton

            Image
            Thiostrepton [1] Names Other names Alaninamide, Bryamycin, Thiactin Identifiers CAS Number 1393-48-2   Y 3D model (JSmol) Interactive image ChEMBL ChEMBL468719   N ECHA InfoCard 100.014.304 PubChem CID 16130278 InChI InChI=1S/C72H85N19O18S5/c1-14-26(3)47-63(105)78-30(7)57(99)75-28(5)56(98)76-31(8)58(100)91-72-19-18-40(66-85-43(22-111-66)59(101)77-29(6)55(97)74-27(4)54(73)96)81-52(72)42-21-112-67(83-42)49(34(11)109-69(107)41-20-37(32(9)92)36-16-17-39(79-47)51(95)50(36)80-41)89-60(102)44-24-113-68(86-44)53(71(13,108)35(12)94)90-62(104)45-23-110-65(84-45)38(15-2)82-64(106)48(33(10)93)88-61(103)46-25-114-70(72)87-46/h15-17,20-22,24-26,30-35,39,45,47-49,51-53,79,92-95,108H,4-6,14,18-19,23H2,1-3,7-13H3,(H2,73,96)(H,74,97)(H,75,99)(H,76,98)(H,77,101)(H,78,105)(H,82,106)(H,88,103)(H,89,102)(H,90,104)(H,91,100)/b38-15-/t26-,30-,31-,32-,33+,34+,35+,39+,45+,47-,48-,49-,51-,52+,53+,71+,72+/m0/s1 Key: NSFFHOGKXHRQEW-AIHSUZKVSA-N ...
            Read more

            Caerphilly

            Image
            This article is about the town of Caerphilly. For the cheese of the same name, see Caerphilly cheese. For other uses, see Caerphilly (disambiguation). Caerphilly Welsh: Caerffili Caerphilly Castle Caerphilly Location within Caerphilly Population 30,388  OS grid reference ST1586 Principal area Caerphilly Ceremonial county Gwent Country Wales Sovereign state United Kingdom Post town CAERPHILLY Postcode district CF83 Dialling code 029 Police Gwent Fire South Wales Ambulance Welsh EU Parliament Wales UK Parliament Caerphilly Welsh Assembly Caerphilly List of places UK Wales Caerphilly 51°34′41″N 3°13′05″W  /  51.578°N 3.218°W  / 51.578; -3.218 Coordinates: 51°34′41″N 3°13′05″W  /  51.578°N 3.218°W  / 51.578; -3.218 Caerphilly ( / k aɪər ˈ f ɪ l i / ; Welsh: Caerffili , Welsh pronunciation:  [ˌkɑːɨrˈfɪlɪ] ) is a town and community in South Wales, at the southern end of the Rhymney Valley....
            Read more