Home/ Questions/Q 166425
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T12:05:44+00:00

Sometimes when a user is copying and pasting data into an input form we

  • 0

Sometimes when a user is copying and pasting data into an input form we get characters like the following:

didn’t,“ for beginning quotes and †for end quote, etc …

I use this routine to sanitize most input on web forms (I wrote it a while ago but am also looking for improvements):

function fnSanitizePost($data) //escapes,strips and trims all members of the post array {     if(is_array($data))     {     $areturn = array();     foreach($data as $skey=>$svalue)     {       $areturn[$skey] = fnSanitizePost($svalue);     }     return $areturn;   }   else     {       if(!is_numeric($data))         {             //with magic quotes on, the input gets escaped twice, which means that we have to strip those slashes. leaving data in your database with slashes in them, is a bad idea             if(get_magic_quotes_gpc()) //gets current configuration setting of magic quotes       {         $data = stripslahes($data);       }         $data = pg_escape_string($data); //escapes a string for insertion into the database         $data = strip_tags($data);  //strips HTML and PHP tags from a string       }         $data = trim($data);  //trims whitespace from beginning and end of a string       return $data;     } }

I really want to avoid characters like I mention above from ever getting stored in the database, do I need to add some regex replacements in my sanitizing routine?

Thanks,

- Nicholas

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. I finally came up with a routine for replacing these characters. It took parsing some of the problematic strings one character at a time and returning the octal value of each character. In doing so I learned that smart quote characters come back as sets of 3 octal values. Here is routine I used to parse the string:

    $str = 'string_with_smart_quote_chars';  $ilen = strlen($str); $sords = NULL;  echo '$str\n\n';  for($i=0; $i<$ilen; $i++) {     $sords .= ord(substr($str, $i, 1)).'  '; }  echo '$sords\n\n';

    Here are the str_replace() calls to ‘fix’ the string:

    $str = str_replace(chr(226).chr(128).chr(156), ''', $str); // start quote $str = str_replace(chr(226).chr(128).chr(157), ''', $str); // end quote $str = str_replace(chr(226).chr(128).chr(153), ''', $str); // for single quote

    I am going to continue building up an array of these search/replacements which I am sure will continue to grow with the increasing use of these types of characters.

    I know that there are some canned routines for replacing these but I had no luck with any of them on the Solaris 10 platform that my scripts are running on.

    — Nicholas

    • 0