Reputation:
Sanitizing user input, is it safe?
I want to know the most secure way to sanitize data that is given to a PHP script, this is the function I have come up with, do you think that it's safe enough to use?
function santatizeName($data)
{
$data = filter_var($data, FILTER_SANITIZE_STRING);
$data = preg_replace('/[^a-z]/i','',$data); //Removes everything but letters.
$data = ucfirst($data); //Capatilizes first letter.
return $data;
}
Would love your feedback, new to PHP security.
Upvotes: 1
Views: 950
Answers (3)
Reputation: 7058
The concept of input sanitation is actually futile on strings, given the business need of using all characters in most fields, especially in name fields (think Mr. O'Hara, Mrs. Smith-Meyer and Mr. Möller), and given the fact that almost any character is dangerous in some other context. You should look into properly escaping/encoding your string data whenever it changes context (such as when you put it into a database query, shell command, or input into dynamically generated HTML/CSS/JS/whatever). Use safe APIs for DB access, such as prepared statements, instead of constructing SQL by string concatenation.
That being said, you might find the OWASP PHP filters or OWASP ESAPI for PHP useful.
Upvotes: 2
Reputation: 12655
Check out http://htmlpurifier.org/ although it's much more than sanitizing.
Upvotes: 0
Reputation: 88044
You might want to review the following php documentation regarding sanitization filters.
http://php.net/manual/en/filter.filters.sanitize.php
and
http://php.net/manual/en/ref.filter.php
Upvotes: 1
Related Questions
- PHP input sanitizer function?
- Sanitize apex and user input
- What is the real way to sanitize user input and output safely and conveniently
- Sanitize User Input via PHP
- When don't you sanitize data?
- PHP sanitisation for user input
- PHP: Advice regarding how user input is "immunized"
- PHP / MYSQL: Sanitizing user input - is this a bad idea?
- PHP: best security practices for displayed information?
- What else should I be doing to sanitize user input?