According to PHP Manual: Strip tags, optionally strip or encode special characters. According to W3Schools: The FILTER_SANITIZE_STRING filter strips or encodes unwanted characters. This filter removes data that is potentially harmful for your application. It is used to strip tags and remove or encode unwanted characters. Now, that doesn’t tell us much. Let’s go see … Read more
How do you sanitize data in $_GET -variables by PHP? You do not sanitize data in $_GET. This is a common approach in PHP scripts, but it’s completely wrong*. All your variables should stay in plain text form until the point when you embed them in another type of string. There is no one form … Read more
Making a small adjustment to Tor Valamo’s solution to fix the problem noticed by Dominic Rodger, you could use: // Remove anything which isn’t a word, whitespace, number // or any of the following caracters -_~,;[](). // If you don’t need to handle multi-byte characters // you can use preg_replace rather than mb_ereg_replace // Thanks … Read more
There are a few cases where this escape function will fail. The most obvious is when a single quote isn’t used: string table= “\”” + table.Replace(“‘”, “””) + “\”” string var= “`” + var.Replace(“‘”, “””) + “`” string index= ” ” + index.Replace(“‘”, “””) + ” ” string query = “select * from `”+table+”` where … Read more
function slug($z){ $z = strtolower($z); $z = preg_replace(‘/[^a-z0-9 -]+/’, ”, $z); $z = str_replace(‘ ‘, ‘-‘, $z); return trim($z, ‘-‘); }
I found this larger function in the Chyrp code: /** * Function: sanitize * Returns a sanitized string, typically for URLs. * * Parameters: * $string – The string to sanitize. * $force_lowercase – Force the string to lowercase? * $anal – If set to *true*, will remove all non-alphanumeric characters. */ function sanitize($string, $force_lowercase … Read more
This filter had an unclear purpose. It’s difficult to say what exactly it was meant to accomplish or when it should be used. It was also confused with the default string filter, due to its name, when in reality the default string filter is called FILTER_UNSAFE_RAW. The PHP community decided that the usage of this … Read more
First of all, it’s just bad practice. Input validation is always necessary, but it’s also always iffy. Worse yet, blacklist validation is always problematic, it’s much better to explicitly and strictly define what values/formats you accept. Admittedly, this is not always possible – but to some extent it must always be done. Some research papers … Read more
addslashes() isn’t fully adequate, but PHP’s mssql package doesn’t provide any decent alternative. The ugly but fully general solution is encoding the data as a hex bytestring, i.e. $unpacked = unpack(‘H*hex’, $data); mssql_query(‘ INSERT INTO sometable (somecolumn) VALUES (0x’ . $unpacked[‘hex’] . ‘) ‘); Abstracted, that would be: function mssql_escape($data) { if(is_numeric($data)) return $data; $unpacked … Read more
Stop! You’re making a mistake here. Oh, no, you’ve picked the right PHP functions to make your data a bit safer. That’s fine. Your mistake is in the order of operations, and how and where to use these functions. It’s important to understand the difference between sanitizing and validating user data, escaping data for storage, … Read more