Question

What would be the most efficient way to clean a user input that is a comma separated string made entirely on numbers - e.g

2,40,23,11,55

I use this function on a lot of my inputs

function clean($input){ $input=mysql_real_escape_string(htmlentities($input,ENT_QUOTES)); return $input; }

And on simple integers I do:

if (!filter_var($_POST[ var ], FILTER_VALIDATE_INT)) {echo( error - bla bla ); exit;}

So should I explode it and then check every element of the array with the code above or maybe replace all occurrences of , with and then check the whole thing is a number? What do you guys think?

Answer 1

if (ctype_digit(str_replace(",", "", $input))) {
  //all ok. very strict. input can only contain numbers and commas. not even spaces
} else {
  //not ok
}

If it is CSV and if there might be spaces around the digits or commas and maybe even some quotation marks better use a regex to check if it matches

Answer 2

if (!preg_match( /Ad+(,d+)*z/ , $input)) die( bad input );

Answer 3

If you want to transform a comma-separated list instead of simply rejecting it if it s not formed correctly, you could do it with array_map() and avoid writing an explicit loop.

$sanitized_input = implode(",", array_map("intval", explode(",", $input)));

Answer 4

I would filter instead of error checking on simple input, though only cause I m lazy, I suppose, and usually in a web context there s way too many cases to handle on what could be coming in that I wouldn t expect: Simple filter below.

<?php
$input =  234kljsalkdfj234a,a, asldkfja 345345sd,f jasld,f234l2342323@#$@# ;
function clean($dirty){ // Essentially allows numbers and commas, just strips everything else.
    return preg_replace( /[^0-9,]/ , "", (string) $dirty);
}

$clean = clean($input);

echo $clean;
// Result: 234234,,345345,,2342342323
// Note how it doesn t deal with adjacent filtered-to-empty commas, though you could handle those in the explode.  *shrugs*

?>

Here s the code and the output on codepad:

http://codepad.org/YfSenm9k

友情链接