I'm having some issues using the following code on user input:
htmlentities($string, ENT_COMPAT, 'UTF-8');
When an invalid multibyte character is detected PHP throws a notice:
PHP Warning: htmlentities(): Invalid multibyte sequence in argument in /path/to/file.php on line 123
My first thought was to supress the error, but this is slow and poor practice: http://derickrethans.nl/five-reasons-why-the-shutop-operator-should-be-avoided.html
My second thought was to use the ENT_IGNORE flag, but even the PHP manual suggests not to use this:
Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
A bit of further reason led me to the following piece of code:
// detect encoding
$encoding = mb_detect_encoding($query);
if($encoding != 'UTF-8') {
$query = mb_convert_encoding($query, 'UTF-8', $encoding);
} else {
// strip out invalid utf8 sequences
$query = iconv('UTF-8', 'UTF-8//IGNORE', $query);
}
Unfortunately iconv also throws an E_NOTICE when it removes/ignores invalid characters:
If you append the string //TRANSLIT to out_charset transliteration is activated. This means that when a character can't be represented in the target charset, it can be approximated through one or several similarly looking characters. If you append the string //IGNORE, characters that cannot be represented in the target charset are silently discarded. Otherwise, str is cut from the first illegal character and an E_NOTICE is generated.
So I'm basically out of options here. I'd rather use a tried and tested library to handle this kind of stuff than attempting it with a few of the regular expression based solutions I've seen floated around.
So that leads me to my final question: How can I remove invalid multibyte characters, efficiently, securely, without notices/warnings/errors?