[SOLVED] Is this preg_split well formed?

[transparencia]

Hello!

 

Is this well written?

 

preg_split("/[\s.,_\"\'\%\>\<?!-]/", $kernel->vars['string']);

 

What others characters should I filter to prevent an SQL injection or other exploit?

[corbin]

The only character that you 'must' filter is '.

 

 

Do you want to filter for some other reason?  If you want to escape HTML, just use htmlentities().

[.josh]

lol why are you using preg_split?  preg_split is a regex version of explode.  All it does is take a string and split it up into an array, based on a pattern.  So for example, if you have this:

 

$string = "What's up, doc? Nothin' much, man...";

 

and you do this:

 

$string = preg_split("/[\s.,_\"\'\%\>\<?!-]/", $string);

 

You're going to end up with this:

 

Array
(
    [0] => What
    [1] => s
    [2] => up
    [3] => 
    [4] => doc
    [5] => 
    [6] => Nothin
    [7] => 
    [8] => much
    [9] => 
    [10] => man
    [11] => 
    [12] => 
    [13] => 
)

 

Unless you are wanting your data to be a specific format (like for instance, the data is a username and you only want it to contain alphanumeric characters), the goal should be to escape characters, not remove them.  Otherwise, you're going to find yourself storing a whole lot of swiss cheesed data.

[transparencia]

I know! The string is as search string, I choose to separate the words to do a mySQL full text AND search (Search Word1 AND Word2 AND Word3, etc..). All words on the string must appear on the results.

 

That is the reason I want to prevent SQL injection and exploits. Because the string is directly input on the database. So I guess, if only ' is necessary to be cut down I could do it like this (with the other %>< while I'm at it, just to be sure  )?

 

preg_split("/[\s.,_'%><?!-]/", $kernel->vars['string']);

[corbin]

http://php.net/mysql_real_escape_string

 

 

I would just escape all of the parts.