What chars are considered safe?

From: Derek Fountain (nospam_at_example.com)
Date: 02/28/05 

Date: Mon, 28 Feb 2005 08:13:56 +0800

I was just writing a sanitisation route for a bit of user input. The data is
an English text description of a product, and will go into a DB, then back
out to other user's browsers.

As per normal practise, I was working on the basis of leaving in all
characters that I considered safe and stripping out everything else. This
led me to think of what characters are actually safe, given that the user
will want to be able to use at least basic punctuation, currency symbols
and so on. Avoiding < and > seemed obvious, but most other things have a
use I think.

My current line looks like this:

$data = preg_replace( '/[^\s\w\d@"\'()[]{}:#~!$%&*_-+.,]/', "", $data );

(Note that's a list of chars that are *not* to be replaced.) Are any of
these dangerous? Or have I left out some that are harmless and should be in
there? 

-- 
The email address used to post is a spam pit. Contact me at
http://www.derekfountain.org : <a
href="http://www.derekfountain.org/">Derek Fountain</a>

Relevant Pages

  • Re: What chars are considered safe?
    ... > I was just writing a sanitisation route for a bit of user input. ... > an English text description of a product, and will go into a DB, then back ... > characters that I considered safe and stripping out everything else. ...
    (comp.lang.php)
  • Re: National characters in database column names
    ... You are asking about a "guideline", which is a rule that people ought to ... an official version of English for radio communication. ... If your team agrees that your program will generally use a given language, ... some programs name their metadata after user input. ...
    (comp.programming)
  • Ignore F1-F12 keys when user enters text input on console
    ... The user input it taken using STDIN.getc. ... the entered characters are not displayed and each character is ... obscured by displaying an asterix. ... def TestFunc ...
    (comp.lang.ruby)
  • Re: [Full-Disclosure] How T-Mobils network was compromised
    ... User input is passed to a function which sanitizes the input by ... converting "dangerous" characters to HTML representations. ... Function is flawless from a programming perspective and performs as ... should have occurred is a check for "../" in a loop. ...
    (Full-Disclosure)
  • avoid which characters in text fields with vb- and jscript?
    ... native win2k3 srv/xp clients environment on our IIS 6.0 intranet ... Have made various tables storing user input, ... sure to clean user inputs for unwanted characters before storing in ... Using the vbscript Replace funktion Im able to remove quotes ...
    (microsoft.public.scripting.vbscript)