Home/ Questions/Q 609885
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T17:36:53+00:00

I have a form field that includes a mixture of HTML and text. I

  • 0

I have a form field that includes a mixture of HTML and text. I want users to be able to use basic HTML and punctuation.

Currently I am using mysql_real_escape_string and preg_replace to sanitise the data and insert it into the database. My understanding is that preg_replace is the best way to strip any characters that are not in a white list of allowed characters and that mysql_real_escape_string protects from SQL injection.

//How I collect and sanitise the data...
$var=mysql_real_escape_string(
 preg_replace("/[^A-Za-z0-9-?!$#@()\"'.:;\\@,_ =\/<> ]/",'',$_POST['var'])
);

However, it keeps breaking when the hash character is used.

My questions are:

1) Is there a more efficient way to do this?

2) If this is the best way, what am I doing wrong?

The characters that I need to allow are: all alphanumeric characters and:

? ! @ # $ % & ( ) – . , : ; ‘ ” < > / + =

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since many non-alphanumeric characters have special meanings in a regex, you should escape all of them. So

    preg_replace("/[^A-Za-z0-9-?!$#@()\"'.:;\\@,_ =\/<> ]/",'',$_POST['var'])

    becomes (there are a few that probably don’t need escaping, but it doesn’t hurt)

    preg_replace("/[^A-Za-z0-9-\?\!\$\#\@\(\)\"\'\.\:\;\\@\,\_ \=\/\<\> ]/",'',$_POST['var'])
    • 0