I am writing a simple field reporting web app that only accepts a small number of characters.
I have read that preg_replace has a negative affect on performance.
This is a problem because I want to loop through all $_POST and $_GET variables to sanitize them and some of my forms have many fields.
Is there a faster way to whitelist?
for example:
if(isset($_GET["test_1"]) && isset($_GET["test_2"])){
$white_list = str_split('0123456789
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ .,?@_-');
foreach($_GET as $key => &$val){
$val = array_intersect(str_split($val),$white_list);
$val = implode($val);
}
}
You can see that I am only allowing a few characters for punctuation.
The space character seems to work when I test in the URL bar.
I have also seen people use str_replace() after splitting the input into an array and replacing characters with "" if they are not in the whitelist.
if(isset($_GET["test_1"]) && isset($_GET["test_2"])){
$white_list = str_split('0123456789
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ .,?@_-');
foreach($_GET as $key => &$val){
$char_list = str_split($val);
foreach($char_list as $c){
if(!in_array($c,$white_list)){
$val = str_replace($c,'',$val);
}
}
}
}
Or something like that.
Are there performance gains to be had?
How would I test it.