PHP Sanitize Data

Question

I am new to the world of coding and PHP hence would like to learn what\'s the best way to sanitize form data to avoid malformed pages, code injections and the like. Is the s

Answer 1

It's not bad.

For SQL, it'd be best to avoid the need to risk the scenario at all, by using PDO to insert parameters into your queries.

Answer 2

As a general rule if you are using PHP & MySQL you will want to sanitize data going into MySQL like so:

$something = mysql_real_escape_string($_POST['your_form_data']);

http://php.net/manual/en/function.mysql-real-escape-string.php

Answer 3

Your example script isn't great - the so called sanitisation of a string just trims whitespace off each end. Relying on that would get you in a lot of trouble fast.

There isn't a one size fits all solution. You need to apply the right sanitisation for your application, which will completely depend on what input you need and where it's being used. And you should sanitise at multiple levels in any case - most likely when you receive data, when you store it and possibly when you render it.

Worth reading, possible dupes:

What's the best method for sanitizing user input with PHP?

Clean & Safe string in PHP

Answer 4

That script has some nice functions but it doesn't do a good job at sanitizing!

Depending on what you need (and want to accept) you can use:

• abs() for positive numbers (note that it accepts floats also)

• preg_replace('/[^a-zA-Z0-9 .-]/','',$var) for cleaning out any special characters from strings or preg_replace('/\D/','',$var) to remove all non-digit characters

• ctype_* functions eg. ctype_digit($var)

• filter_var() and filter_input() functions

• type-cast eg. (int)$_GET['id']

• convert eg. $id=$_GET['id']+0;