There are a few things that are a bit screwey with this:
- You can easily avoid using $& here, and since it is really taxing on all other regexen, just don't. I'll point out how to do it along the way.
- Substitution 1: s/([^ a-zA-Z0-9_=&\-])/\\$1/g;. Benefits: No $& to deal with (added parens in front to compensate), as well as stopping an useless sprintf call.
- Substitution 2: s/([A-Za-z0-9][^&\/\.]){10,}/.*/g;. Benefits: Stops the useless and wrong (arguments that you pass a screwey) sprintf call. But see below.
- Substitution 3: $string =~ s/([0-9]){2,}/\\d+/g;. Benefits: Again, no screwey sprintf.
There's a question about your second s/// though: Currently, you look for 10 or more pairs of one alphanumeric character and one non-special character.
The reason why you have ?.*2 in your actual string is because you have an ODD number of characters. Your "pair" semantics leave one behind, therefore. We'll need more info before we can decide what you actually want here.
HTH.