Reputation: 368
FILTER_SANITIZE_STRING filters letters that shouldn't be filtered
I'm using filter to clean my strings before i use prepared statements
filter_input( INPUT_POST, 'x', FILTER_SANITIZE_STRING )
the problem is that I'm from Lithuania and here we have some pretty weird letters like ą č ę ė į š ų ū and I need those unfiltered, i can't find another filter FILTER_SANITIZE_ that would work, is there any? and if not is there another function that does this the way i need?
Upvotes: 0
Views: 339
Answers (1)
Reputation: 33538
Solution: Don't filter.
HTML encode when you output to an HTML page.
e.g.
& becomes &, < becomes <.
Use htmlentities to do this.
HTML code isn't dangerous in your database - it's only dangerous when user input is output unencoded.
Since you're already using prepared statements, you're already protected against SQLi (assuming there's not any query concatenation going on anywhere of course, for example within any SPs you are calling).
Upvotes: 2
Related Questions
- Is FILTER_SANITIZE_STRING enough to avoid SQL injection and XSS attacks?
- pass FILTER_SANITIZE_STRING
- Why does FILTER_SANITIZE_STRING remove part of the SQL string?
- What does FILTER_SANITIZE_STRING do?
- Sanitize filter_var PHP string but keep " '
- PHP Sanitising and escaping special characters
- php 5.2 - FILTER_SANITIZE_FULL_SPECIAL_CHARS
- Reverse FILTER_SANITIZE_SPECIAL_CHARS with PHP
- Using filter_var to sanitize a string
- filtering user input in php