I’m developing a PHP function to process submissions from a web form.
Allowed characters are strictly alphanumeric, a-b, 0-9.
Is it safe to rely on preg_replace with a regular expression to clean this data prior to processing and insertion into a database.
I’ve looked at a lot of the regular PHP data sanitization options I see talked about but as the system design strictly prohibits the use or sotrage of non alphanumeric characters I think it would be easier to strip anything that doesn’t match /[^a-zA-Z\s-0-9.,’]/ from the outset.
Am I on the right track here?
If you are only permitting alphanumeric characters to be stored in your database, rather than strip off invalid characters, you are better off to return an error to your users for having supplied invalid input. This way, your users won’t become confused when they see their data displayed back to them in a different form than they originally entered it.
In other words, validate the input with
preg_match()to be sure it meets your requirements, and if not, return an error to the user so they can fix it. Then escape it for insertion into the database or use a prepared statement.