Remove special characters

Question

I am trying to remove special characters from a string.

The user enters text into a WYSWIG editor and clicks save, then the data is saved in the DB.

However is the ' is entered (Eg in the word don't the script fails.

I have tried the below but it isnt working, can anyone advise?

$content=$_POST[content];

 function clean($content) {
   $string = str_replace(' ', '-', $content); // Replaces all spaces with hyphens.
   $string = preg_replace('/[^A-Za-z0-9\-]/', '', $content); // Removes special chars.

   return preg_replace('/-+/', '-', $string); // Replaces multiple hyphens with single one.
}

$result=mysql_query("update TABLE set content='$string' WHERE id='$id'");

use addslashes() http://php.net/manual/en/function.addslashes.php or htmlspecialchars() http://php.net/manual/en/function.htmlspecialchars.php, also an important command for such thing for protection from mysql injection is mysql_real_escape_string — Aleksandar Vasić, Aug 06 '15 at 10:09
@Zanderwar - Can you show me how I would use MySqli for this snippet? — , Aug 06 '15 at 10:12
Don't use addslashes, you will be left with unwanted slashes I can guarantee you that. stripslashes() would have unexpected results as well — zanderwar, Aug 06 '15 at 10:13
@Zanderwar - I tried addslashes and it didn't leave any unwanted slashes? — , Aug 06 '15 at 10:15
Speaking from experience of course. I also was once myself someone who never wanted to use MySQLi, but it makes life easier and I would never turn back to `mysql_*` — zanderwar, Aug 06 '15 at 10:20
I prefer PDO, since MySQLi queries sometimes fail for no reason at all :) — Aleksandar Vasić, Aug 06 '15 at 10:22
possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Lumen, Aug 06 '15 at 10:22
@Lumen read the question before you flag duplicates, OP mentions no inquiry about SQL injection prevention, it's just an upside of the outcome. — zanderwar, Aug 07 '15 at 02:47

zanderwar · Accepted Answer · 2015-08-06T10:16:21.557

3

You should use: http://php.net/manual/en/function.mysql-real-escape-string.php

As it will automatically escape any special characters and help towards preventing SQL injection

Please pay attention to the big red banner on that page that strongly advises that MySQL is deprecated and to use MySQLi instead.

A MySQLi example would be:

$Sql = new MySQLi("localhost", "username", "password", "database_name");

$stmt = $Sql->prepare("UPDATE table SET content = ? WHERE id = ?");
$stmt->bind_param('si', $string, $id);
$stmt->execute();
$stmt->close();

edited Aug 06 '15 at 10:16

answered Aug 06 '15 at 10:11

zanderwar

3,440
3
28
46

You are probably someone I need to talk to... you know your stuff... I'm still a newbie to this!! – Aug 06 '15 at 10:16
There a plenty far more skilled than myself, I have updated my answer with a MySQLi example for you as requested – zanderwar Aug 06 '15 at 10:17
Cool if it helps you give it a tick ;) <3 – zanderwar Aug 06 '15 at 10:20

score 1 · Answer 2 · answered Aug 06 '15 at 10:16

There are many ways to remove unwanted characters from strings.

addslashes() will add slashes before single and double quote http://php.net/manual/en/function.addslashes.php htmlspecialchars() will convert all problematic characters to html code http://php.net/manual/en/function.htmlspecialchars.php

and finally most important thing that your code is now vulnerable for mysql injection, to prevent that use mysql_real_escape_string() which will remove all chars that can cause problem http://php.net/manual/en/function.mysql-real-escape-string.php

You should also think of about the switching to MySQLi or PDO (I prefer PDO), because with it you get prepared statements, and you'll never have such problems, nor security problems. MySQL is deprecated, and your script won't work in future.

Remove special characters

2 Answers2