How to handle user input with a mixture of HTML and punctuation?

Question

I have a form field that includes a mixture of HTML and text. I want users to be able to use basic HTML and punctuation.

Currently I am using mysql_real_escape_string and preg_replace to sanitise the data and insert it into the database. My understanding is that preg_replace is the best way to strip any characters that are not in a white list of allowed characters and that mysql_real_escape_string protects from SQL injection.

//How I collect and sanitise the data...
$var=mysql_real_escape_string(
 preg_replace("/[^A-Za-z0-9-?!$#@()\"'.:;\\@,_ =\/<> ]/",'',$_POST['var'])
);

However, it keeps breaking when the hash character is used.

My questions are:

1) Is there a more efficient way to do this?

2) If this is the best way, what am I doing wrong?

The characters that I need to allow are: all alphanumeric characters and:

? ! @ # $ % & ( ) - . , : ; ' " < > / + =

Thanks!

Answer 1

Why not just use strip_tags() and limit it to the tags you need?

strip_tags ($str,"<br>")

You could then do other "sanitation" that is not quite as invasive.

Answer 2

Since many non-alphanumeric characters have special meanings in a regex, you should escape all of them. So

preg_replace("/[^A-Za-z0-9-?!$#@()\"'.:;\\@,_ =\/<> ]/",'',$_POST['var']) 

becomes (there are a few that probably don't need escaping, but it doesn't hurt)

preg_replace("/[^A-Za-z0-9-\?\!\$\#\@\(\)\"\'\.\:\;\\@\,\_ \=\/\<\> ]/",'',$_POST['var'])