Reputation: 1224
Increasing understanding of validating a string with PHP string functions
I've just started attempts to validate data in PHP and I'm trying to understand this concept better. I was expecting the string passed as an argument to the $data parameter for the test_input() function to be formatted by the following PHP functions.
trim()to remove white space from the end of the stringstripslashes()to return a string with backslashes stripped offhtmlspecialchars()to convert special characters to HTML entities
The issue is that the string that I am echoing at the end of the function is not being formatted in the way I desire at all. In fact it looks exactly the same when I run this code on my server - no white space removed, the backslash is not stripped and no special characters converted to HTML entities.
My question is have I gone about this in the wrong approach? Should I be creating the variable called $santised_input on 3 separate lines with each of the functions trim(), stripslashes() and htmlspecialchars()?
By my understanding surely I am overwriting the value of the $santised_input variable each time I recreate it on a new line of code. Therefore the trim() and stripslashes() string functions will never be executed.
What I am trying to achieve is using the "$santised_input" variable to run all of these PHP string functions when the $data argument is passed to my test_input() function. In other words can these string functions be chained together so that I only need to create $santised_input once?
<?php
function test_input($data) {
$santised_input = trim($data);
$santised_input = stripslashes($data);
$santised_input = htmlspecialchars($data);
echo $santised_input;
}
test_input("%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E\ ");
//Does not output desired result ""><script>alert('hacked')</script>"
?>
Upvotes: 0
Views: 59
Answers (4)
Reputation: 1086
You should also be aware of the filtering functions added in PHP 5. filter_var
Strings can be sanitized as follows
$sanitised = filter_var($data, FILTER_SANITIZE_STRING);
There are various options you can use for sanitizing it, for example
$sanitised = filter_var($data, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
These functions are particularly useful for validating and sanitizing URLs and emails via FILTER_SANITIZE_URL and FILTER_SANITIZE_EMAIL
Upvotes: 0
Reputation: 1387
I never trust in this functions, I'd do with regex using preg_replace.
http://www.php.net/manual/es/function.preg-replace.php
Upvotes: 0
Reputation: 2915
Edit: Sorry, misread the question. You actually can do:
$sanitised_input = htmlspecialchars(stripslashes(trim($data)));
and that should do the trick, i think.
Upvotes: 1
Reputation: 2068
You're performing each of the string functions on the original $data variable, and overwriting the value of $santised_input each time. The output will be no different from simply running the last string function and neither of the first two.
To solve, perform the latter functions on the $santised_input variable;
function test_input($data) {
$santised_input = trim($data);
$santised_input = stripslashes($santised_input);
$santised_input = htmlspecialchars($santised_input);
echo $santised_input;
}
Upvotes: 6
Related Questions
- Check if a string is valid PHP code
- PHP string validation
- PHP validate string lightweight
- check string function
- simple . validation for php
- PHP Input Validation - Things to be aware of?
- Check string in PHP
- validating a string in php if only substring is true
- String validation with a pattern with php
- Expert opinion on string validation?