Is this preg_replace correct?

Ok,

I want to let users add their twitter to my site, and twitter only allows aphanumeric characters + _ underscore in names.

Will this do?

$twitter = preg_replace("#[^a-zA-Z0-9_]#", "", $_REQUEST['twitter']);
GVNPublic123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andresdelfinoCommented:
What that line will do is remove any non-complaint characters from the user's input.

Please note that that's not the same as checking if the user has entered a correct username.

For example.

Given real username: andres_delfino
The user could accidentally enter: andres-delfino

You would be saving the wrong username: andresdelfino (since you are removing the offending -).

Plus, you luck the + in your regular expression: #[^a-zA-Z0-9_+]#

I strongly suggest you to ask the user to correct his/her mistake should he/she make one.

In that case, preg_match is your friend:

preg_match("#^[a-zA-Z0-9_+]+$#", $_REQUEST['twitter'])

Open in new window


More information at: http://www.php.net/manual/en/function.preg-match.php
0
GVNPublic123Author Commented:
Oh no, I dont give a sh*t about checking, Ill just sanitize than verify on twitter if exists. No time to waste with stupid warnings.

So is my preg-match correct or not?
0
andresdelfinoCommented:
Sorry, your solution is not correct.

What I'm suggesting you is to ask the user to re-enter their Twitter account username should you find a non-complaint character.

In case you prefer not to do this, I strongly suggest you to ignore usernames with non-complaint characters showing an error to the user, since you can't sanitize them at all. Your solution removes non-complaint characters from the user's input, but that doesn't guarantee you a valid username at all, just that the characters used are correct. The example I shared with you earlier shows this.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

GVNPublic123Author Commented:
Look, I only wanted to know, if this:
#[^a-zA-Z0-9_]#

Will wipe all illegal characters clean. The correctness of username is than checked with twitter along with name, followers, country etc etc... So why would I display stupid message when I can just wipe and GUARANTEE correct entry. Or wrong username is cancelled out with twitter verification.
0
GVNPublic123Author Commented:
Thus it saves me mysql sanitization line of code :P
0
designatedinitializerCommented:
There's your code.
$sanitized = preg_replace("#[^a-zA-Z0-9_]+#","",$input);

Open in new window


(notice you were lacking the replacement string, in this case "", and that the + sign must be after the closing square barckets).
0
andresdelfinoCommented:
Add + to your string (#[^a-zA-Z0-9_+]#), and yes, it will wipe all illegal characters clean.
0
andresdelfinoCommented:
Sorry, for your first post, I understood that Twitter also accepts "+" in usernames. But now I understand what you mean by it.

So, yes, your string is perfect.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
designatedinitializerCommented:
I hate to burst your bubble... but like I said before, that + must be outside the square brackets.
As is, that expression will also allow plus signs...
0
andresdelfinoCommented:
Indeed, "+" must not be inside the square brackets. Like I said in my last post, I wrongly understood that "+" was a valid character, but later realized what the GVNPublic123 meant by saying "+" in his/her first post. That's why, in my last post, I stated that the correct string is the one GVNPublic123 shown in his/her first post.

Also, the "+" is not needed outside the square brackets, since PHP will search for any of the characters not in that sequence and delete them. Doesn't matter how many of them it finds. You can try this here: http://www.solmetra.com/scripts/regex/index.php
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.