-1

i need a clean Characters from string and i want only Numbers / Persian / Latin

function clean($str) {
    global $mysqli;
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysqli_real_escape_string($mysqli,preg_replace("/^(?!.*[(@#!%$&*)])[A-Za-z\s\x{0600}-\x{06FF}0-9_\.\-]+$/u","",$str));
}

echo clean('a|"bc!@£d012e^&$ییییfg'); 

i want this =>//echo abcd012eییییfg

i dont want have any => ( @,#,!,%,$,&,|,",£,^* )
sharven
  • 18
  • 1
  • I'm a bit daft about Persian characters but keeping only numbers/latin would be something like: `preg_replace("/[^0-9a-zA-Z]/","",$str)` perhaps you can indicate a similar range for persian characters (no idea if it will work). – apokryfos Mar 30 '16 at 14:54

2 Answers2

0

Give this a spin. It only uses regular expressions:

function clean($str){
   $re = "/([0-9a-zA-Z\x{600}-\x{6FF}])/u";
   preg_match_all($re, $str, $matches);
   return isset($matches[0]) ? implode($matches[0]) : '';
}

echo clean('a|"bc!@£d012e^&$ییییfg');
// output: abcd012eییییfg
echo clean('a|"bc!@Β£d艾β012艾e^&$ییییfg');
// output: abcd012eییییfg

As pointed here, the Persian chars are between 600 and 6FF

You can see it here: https://3v4l.org/arLMj

Community
  • 1
  • 1
Alex Tartan
  • 6,736
  • 10
  • 34
  • 45
  • This allows more languages than the question requires. e.g. a|"bc!@Β£d艾β012艾e^&$ییییfg' will include the greek and chinese characters as well. – apokryfos Mar 30 '16 at 15:08
  • My bad. Did some digging and found the range for persian chars. I've updated the answer – Alex Tartan Mar 30 '16 at 15:17
0

You can try the following regular expression:

function clean($mysqli,$str) {
    //global $mysqli;   //pass this as a parameter
    if (!is_string($str)) {
        return ""; 
    }
    $str = trim($str);  //Don't need to suppress errors 
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysqli_real_escape_string($mysqli,preg_replace("/[^0-9a-zA-Z\x{600}-\x{6FF}]/u","",$str));
}

As an added note:

Do not use mysqli_real_escape_string as a means to sanitize user input, it cannot be trusted, especially not when dealing with UTF-8 input, use prepared statements instead.

To elaborate:

Assume you have code:

  $sql = "INSERT INTO table VALUES(".clean($value).")";

Change it to:

  $sql = "INSERT INTO table VALUES(?)";

  if (($s=$mysqli->prepare($sql)) {
       $stmt->bind_param("s", preg_replace("/[^0-9a-zA-Z\x{600}-\x{6FF}]/u","",$value)); //MySQL will clean it up.
       $stmt->execute();
  }
apokryfos
  • 38,771
  • 9
  • 70
  • 114
  • global $mysqli; //Avoid this. globals are evil. $str = @trim($str); //Don't suppress errors. That's also evil. You did not understand that I must use this method – sharven Mar 30 '16 at 15:39
  • What do you recommend a way – sharven Mar 30 '16 at 15:42
  • You must use `trim`. I get that, however you don't need to do `@trim` there's no reason. If trim fails it's best you know about it rather than assume it worked and then get an error further down. – apokryfos Mar 30 '16 at 16:10