Remove control characters from PHP string

Question

How can I remove control characters like STX from a PHP string? I played around with

preg_replace("/[^a-zA-Z0-9 .\-_;!:?äÄöÖüÜß<>='\"]/","",$pString)

but found that it removed way to much. Is there a way to remove only control chars?

Answer 1

If you mean by control characters the first 32 ascii characters and \x7F (that includes the carriage return, etc!), then this will work:

preg_replace('/[\x00-\x1F\x7F]/', '', $input);

(Note the single quotes: with double quotes the use of \x00 causes a parse error, somehow.)

The line feed and carriage return (often written \r and \n) may be saved from removal like so:

preg_replace('/[\x00-\x09\x0B\x0C\x0E-\x1F\x7F]/', '', $input);

I must say that I think Bobby's answer is better, in the sense that [:cntrl:] better conveys what the code does than [\x00-\x1F\x7F].

WARNING: ereg_replace is deprecated in PHP >= 5.3.0 and removed in PHP >= 7.0.0!, please use preg_replace instead of ereg_replace:

preg_replace('/[[:cntrl:]]/', '', $input);

Answer 2

For Unicode input, this will remove all control characters, unassigned, private use, formatting and surrogate code points (that are not also space characters, such as tab, new line) from your input text. I use this to remove all non-printable characters from my input.

<?php
$clean = preg_replace('/[^\PC\s]/u', '', $input);

for more info on \p{C} see http://www.regular-expressions.info/unicode.html#category

Answer 3

PHP does support POSIX-Classes so you can use [:cntrl:] instead of some fancy character-magic-stuff:

ereg_replace("[:cntrl:]", "", $pString);

Edit:

A extra pair of square brackets might be needed in 5.3.

ereg_replace("[[:cntrl:]]", "", $pString);

Answer 4

TLDR Answer

Use this Regex...

/[^\PCc^\PCn^\PCs]/u

Like this...

$text = preg_replace('/[^\PCc^\PCn^\PCs]/u', '', $text);

TLDR Explanation

• ^\PCc : Do not match control characters.
• ^\PCn : Do not match unassigned characters.
• ^\PCs : Do not match UTF-8-invalid characters.

Working Demo

Simple demo to demonstrate: IDEOne Demo

$text = "\u{0019}hello";
print($text . "\n\n");
$text = preg_replace('/[^\PCc^\PCn^\PCs]/u', '', $text);
print($text);

Output:

(-Broken-Character)hello
hello

Alternatives

• ^\PC : Match only visible characters. Do not match any invisible characters.
• ^\PCc : Match only non-control characters. Do not match any control characters.
• ^\PCc^\PCn : Match only non-control characters that have been assigned. Do not match any control or unassigned characters.
• ^\PCc^\PCn^\PCs : Match only non-control characters that have been assigned and are UTF-8 valid. Do not match any control, unassigned, or UTF-8-invalid characters.
• ^\PCc^\PCn^\PCs^\PCf : Match only non-control, non-formatting characters that have been assigned and are UTF-8 valid. Do not match any control, unassigned, formatting, or UTF-8-invalid characters.

Source and Explanation

Take a look at the Unicode Character Properties available that can be used to test within a regex. You should be able to use these regexes in Microsoft .NET, JavaScript, Python, Java, PHP, Ruby, Perl, Golang, and even Adobe. Knowing Unicode character classes is very transferable knowledge, so I recommend using it!

This regex will match anything visible, given in both its short-hand and long-hand form...

\PL\PM\PN\PP\PS\PZ
\PLetter\PMark\PNumber\PPunctuation\PSymbol\PSeparator

Normally, \p indicates that it's something we want to match and we use \P (capitalized) to indicate something that does not match. But PHP doesn't have this functionality, so we need to use ^ in the regex to do a manual negation.

A simpler regex then would be ^\PC, but this might be too restrictive in deleting invisible formatting. You may want to look closely and see what's best, but one of the alternatives should fit your needs.

All Matchable Unicode Character Sets

If you want to know any other character sets available, check out regular-expressions.info...

• \PL or \PLetter: any kind of letter from any language.
  • \PLl or \PLowercase_Letter: a lowercase letter that has an uppercase variant.
  • \PLu or \PUppercase_Letter: an uppercase letter that has a lowercase variant.
  • \PLt or \PTitlecase_Letter: a letter that appears at the start of a word when only the first letter of the word is capitalized.
  • \PL& or \PCased_Letter: a letter that exists in lowercase and uppercase variants (combination of Ll, Lu and Lt).
  • \PLm or \PModifier_Letter: a special character that is used like a letter.
  • \PLo or \POther_Letter: a letter or ideograph that does not have lowercase and uppercase
• \PM or \PMark: a character intended to be combined with another character (e.g. accents, umlauts, enclosing boxes, etc.).
  • \PMn or \PNon_Spacing_Mark: a character intended to be combined with another character without taking up extra space (e.g. accents, umlauts, etc.).
  • \PMc or \PSpacing_Combining_Mark: a character intended to be combined with another character that takes up extra space (vowel signs in many Eastern languages).
  • \PMe or \PEnclosing_Mark: a character that encloses the character it is combined with (circle, square, keycap, etc.).
• \PZ or \PSeparator: any kind of whitespace or invisible separator.
  • \PZs or \PSpace_Separator: a whitespace character that is invisible, but does take up space.
  • \PZl or \PLine_Separator: line separator character U+2028.
  • \PZp or \PParagraph_Separator: paragraph separator character U+2029.
• \PS or \PSymbol: math symbols, currency signs, dingbats, box-drawing characters, etc.
  • \PSm or \PMath_Symbol: any mathematical symbol.
  • \PSc or \PCurrency_Symbol: any currency sign.
  • \PSk or \PModifier_Symbol: a combining character (mark) as a full character on its own.
  • \PSo or \POther_Symbol: various symbols that are not math symbols, currency signs, or combining characters.
• \PN or \PNumber: any kind of numeric character in any script.
  • \PNd or \PDecimal_Digit_Number: a digit zero through nine in any script except ideographic scripts.
  • \PNl or \PLetter_Number: a number that looks like a letter, such as a Roman numeral.
  • \PNo or \POther_Number: a superscript or subscript digit, or a number that is not a digit 0–9 (excluding numbers from ideographic scripts).
• \PP or \PPunctuation: any kind of punctuation character.
  • \PPd or \PDash_Punctuation: any kind of hyphen or dash.
  • \PPs or \POpen_Punctuation: any kind of opening bracket.
  • \PPe or \PClose_Punctuation: any kind of closing bracket.
  • \PPi or \PInitial_Punctuation: any kind of opening quote.
  • \PPf or \PFinal_Punctuation: any kind of closing quote.
  • \PPc or \PConnector_Punctuation: a punctuation character such as an underscore that connects words.
  • \PPo or \POther_Punctuation: any kind of punctuation character that is not a dash, bracket, quote or connector.
• \PC or \POther: invisible control characters and unused code points.
  • \PCc or \PControl: an ASCII or Latin-1 control character: 0x00–0x1F and 0x7F–0x9F.
  • \PCf or \PFormat: invisible formatting indicator.
  • \PCo or \PPrivate_Use: any code point reserved for private use.
  • \PCs or \PSurrogate: one half of a surrogate pair in UTF-16 encoding.
  • \PCn or \PUnassigned: any code point to which no character has been assigned.

Answer 5

To keep the control characters but make them compatible for JSON, I had to to

$str = preg_replace(
    array(
        '/\x00/', '/\x01/', '/\x02/', '/\x03/', '/\x04/',
        '/\x05/', '/\x06/', '/\x07/', '/\x08/', '/\x09/', '/\x0A/',
        '/\x0B/','/\x0C/','/\x0D/', '/\x0E/', '/\x0F/', '/\x10/', '/\x11/',
        '/\x12/','/\x13/','/\x14/','/\x15/', '/\x16/', '/\x17/', '/\x18/',
        '/\x19/','/\x1A/','/\x1B/','/\x1C/','/\x1D/', '/\x1E/', '/\x1F/'
    ), 
    array(
        "\u0000", "\u0001", "\u0002", "\u0003", "\u0004",
        "\u0005", "\u0006", "\u0007", "\u0008", "\u0009", "\u000A",
        "\u000B", "\u000C", "\u000D", "\u000E", "\u000F", "\u0010", "\u0011",
        "\u0012", "\u0013", "\u0014", "\u0015", "\u0016", "\u0017", "\u0018",
        "\u0019", "\u001A", "\u001B", "\u001C", "\u001D", "\u001E", "\u001F"
    ), 
    $str
);

(The JSON rules state: “All Unicode characters may be placed within the quotation marks except for the characters that must be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).”)

Answer 6

regex free method

If you are only zapping the control characters I'm familiar with (those under 32 and 127), try this out:

 for($control = 0; $control < 32; $control++) {
     $pString = str_replace(chr($control), "", $pString;
 }

$pString = str_replace(chr(127), "", $pString;

The loop gets rid of all but DEL, which we just add to the end.

I'm thinking this will be a lot less stressful on you and the script then dealing with regex and the regex library.

Updated regex free method

Just for kicks, I came up with another way to do it. This one does it using an array of control characters:

$ctrls = range(chr(0), chr(31));
$ctrls[] = chr(127);

$clean_string = str_replace($ctrls, "", $string);