note legato <p>Your code will call anything with whitespace an unsafe string. While that's much better than no checking, how about: <code> $string =~ s/!([\w\s]+)//; ##add other allowed chars as needed </code> That will sanitize all strings to contain only numbers, digits, the underscore and whitespace. A more complete regex (which would still not include unicode or international chars) would be: <code> $string =~ s/!([\w\s\!\@\#\$\%\^\&\*\(\)\\\`\~\-\+\=\,\.]+)//; </code> (Yes, there's more escaping there than strictly necessary.) Suddenly, that transliteration is looking a lot easier to maintain. If your allowed set is "everything but nulls and control chars", then you're better off explicitly excluding the known control-char set. <p>Denying all, then allowing is a good general rule of thumb. But, in this case, the "dangerous" items are a fixed set while the "safe" items are much more variable -- so it makes sense to simply remove that which is dangerous. <p><b><i>Update=></i></b> [Aristotle] reminded me that, as <tt>\s</tt> includes <tt>\n</tt>, these regexes will not strip newlines; that means strings sanitized with these will be unsafe if executed with a shell (e.g. <tt>system("$string");</tt>). This further shows that inclusion-matching isn't as good, in this case, as merely stripping "bad" data out. <!-- Node text goes above. Div tags should contain sig only --> <div class="pmsig"><div class="pmsig-416970"> <p align=right>Anima Legato<br><tt>.oO all things connect through the motion of the mind</tt></p> </div></div> 417490 417523