I have read many other questions regarding how to filter a string to "Alpha-numeric", but all of them suggest the
Function preg_replace() should not be used with unsanitised user
input, because the payload will be eval()’ed13.
Reflection also could
have code injection flaws. Refer to the appropriate reflection
documentations, since it is an advanced topic.
$result = preg_replace("/[^a-zA-Z0-9]+/", "", $_POST['data']);
// Notice the $_POST['data']
There's no problem using
preg_replace() to filter user inputs. The OWASP advice you've quoted is talking about the pattern not being user input itself.
However, I'd say that using filtered inputs is a problem by itself - you should validate instead. As in, don't accept invalid inputs.