Php – Regex to only allow alphanumeric, comma, hyphen, underscore and semicolon


I've already got a bit of working code but I need someone to help explain why it works if they can!

I am using PHP to replace anything in a string if it is not either a-z, A-Z, 0-9, a comma, a semicolon, an underscore or a hyphen (which ultimately should represent either a single username, or a comma/semicolon separated list of usernames).

The following works:

$data = preg_replace('/[^,;a-zA-Z0-9_-]/s', '', $data);

But the following does not:

$data = preg_replace('/[^a-zA-Z0-9_-,;]/s', '', $data);

Why will this only work when the comma and semicolon are at the start? Putting them at the end seems to break things (this is what I tried initially when I came across /[^a-zA-Z0-9_-]/s.

As an aside, I am also using the following to trim any trailing semicolons (plural) or commas (plural) and someone may be able to suggest a more efficient and/or elegant way to do this?:

if(preg_match('/;$/', $data))
    $data = rtrim($data, ';' );
if(preg_match('/,$/', $data))
    $data = rtrim($data, ',' );

Thanks for any help 🙂

Best Solution

It's not the comma and semicolon causing your problem; it's the hyphen. Look at the parts of your character class and consider what they mean:

0-9 # Anything from '0' to '9', meaning 0, 1, 2, ... 9
A-Z # Anything from 'A' to 'Z', meaning A, B, C, ... Z
_-, # Anything from '_' to ',', meaning...uh...hmmm.

There's no clear progression from _ to ,, so the regex engine isn't sure what to make of this. In character classes, if you want a hyphen to be interpreted literally, it needs to be at the very beginning or end of the class (or escaped with a backslash). So any of these will work:


As for trimming off the end, you can do all of this in one regex replace:

$data = preg_replace('/[^,;a-zA-Z0-9_-]|[,;]$/s', '', $data);