Sanitizing Strings with Filters in PHP 5

Welcome to the eighth part of a nine-part series on using filters in PHP 5. In this part, I discuss how to use the filter extension for sanitizing strings in all sorts of clever manners. I’ll show you how to encode quotes, low and high ASCII characters in literals, and remove them in the same easy manner. Doing this can help prevent SQL injections and XSS attacks when developing PHP applications.

In case you haven’t heard about it yet, the filter extension that comes included with PHP 5 is a powerful library that allows you to perform all sorts of clever validation tasks on incoming data, ranging from checking integers and float numbers, Boolean and string values, to accomplishing more complex processes, such as verifying IP and email addresses.

Thus, if you’re a PHP developer who’s looking for an approachable guide that shows you how to work with the most relevant filters that come bundled with this useful extension, then you’ve come to the right place. In this group of articles you’ll find numerous examples that will show you how to get the most out of this data checking library in a truly effortless manner.

And now that you know the main goal of this article series, it’s time to refresh the topics covered in the last installment. So, as you’ll possibly recall, in that tutorial I discussed the usage of the FILTER_VALIDATE_IP filter for validating IP addresses utilizing both the IPv4 and the IPv6 protocols.

As with other filters that were reviewed in previous articles of this series, the FILTER_VALIDATE_IP filter was used in conjunction with the already familiar “filter_var()” function, to perform the validation process in a pretty straightforward fashion. However, as I stated previously, the filter extension has plenty of room to let developers verify different data types; this includes the ability to sanitize strings in different ways.

For instance, say that you need to strip unwanted HTML tags from data collected through a web form, or even wish to replace certain characters in a literal form by their corresponding HTML entities, as you’ve done probably hundreds of times before when using the “html_special_chars()” PHP native function. Well, the filter extension permits you to perform this kind of string sanitization and many, many others.

Therefore, in this penultimate part of this series, I’m going to explain how to use the extension to “heal” your strings in a snap, without having to code a complex custom function or class methods. So, let’s leave the preliminaries and see how to accomplish these task by means of a few comprehensive examples. Let’s get going!

{mospagebreak title=Review: the FILTER_VALIDATE_IP filter}

I know that you’re curious about the functionality provided by the filter PHP 5 extension to sanitize strings. Before I proceed to discuss that particular topic, though, I’d like to reintroduce the examples built in the previous article. They demonstrated how to work with the FILTER_VALIDATE_IP filter to validate several ranges and types of IP addresses.

Given that, here’s how these examples looked originally. Here they are:

(example on validating IP address using the FILTER_FLAG_IPV4 argument)

 

$ip = ’192.168.37′;

if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) === FALSE) // displays IP is not valid

{

echo ‘IP is not valid.’;

}

else

{

echo ‘IP is valid.’;

}

 

 

(example on validating IP address using the FILTER_FLAG_IPV6 argument)

 

$ip = ’2001:0cb8:25a3:04c1:1324:8a2b:0471:8221′;

if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === FALSE) // displays IP is valid

{

echo ‘IP is not valid.’;

}

else

{

echo ‘IP is valid.’;

}

 

 

(example on validating IP address using the FILTER_FLAG_NO_PRIV_RANGE argument)

 

$ip = ’192.168.37.1′;

if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE) === FALSE) // displays IP is not valid

{

echo ‘IP is not valid.’;

}

else

{

echo ‘IP is valid.’;

}

 

 

(example on validating IP address using the FILTER_FLAG_NO_RES_RANGE argument)

$ip = ’255.255.255.255′;

if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_RES_RANGE) === FALSE) // displays IP is not valid

{

echo ‘IP is not valid.’;

}

else

{

echo ‘IP is valid.’;

}

As shown previously, the above group of code snippets represent different cases where the FILTER_VALIDATE_IP filter is utilized along with the “filter_var()” function to validate several IP addresses. More specifically speaking, the first two examples show how to work with the filter to check IP addresses that stick to the IPv4 and IPv6 protocols respectively, while the remaining ones demonstrate how simple it is to determine if a given IP belongs to a reserved and private range. That was quite easy to grasp, right?

Well, now that you hopefully recalled how to utilize the filter extension to validate distinct types of IP addresses, it’s time to explore some additional filters. Thus, as I stated in the beginning of this article, in the next few lines I’m going to discuss the utilization of a brand new PHP constant called FILTER_SANITIZE_STRING. As its name implies, it comes in handy for sanitizing strings in all sorts of smart ways.

This topic will be treated in depth in the course of the section to come. So, to learn more on it, please click on the link that appears below and keep reading.

{mospagebreak title=Sanitizing strings with the filter library}

In reality, one of the most robust filters included with the filter library is the one responsible for sanitizing strings, since it’s capable of doing this in several ways. To understand more clearly how this filter works with the numerous optional arguments, below I coded a few basic examples that show it in action in diverse cases. Take a look at them:

// example on sanitizing strings in a basic way

$string = ‘<script>alert(‘hello’);</script>’;

echo filter_var($string, FILTER_SANITIZE_STRING); // quotes are encoded

 

 

// example on sanitizing strings using the FILTER_FLAG_NO_ENCODE_QUOTES argument

$string = ‘<script>alert(‘hello’);</script>’;

echo filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES); // quotes are not encoded

 

 

// example on sanitizing strings using the FILTER_FLAG_STRIP_LOW argument

$string = ‘<script>#$%^&!*</script>’;

echo filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); // strips low characters

 

 

// example on sanitizing strings using the FILTER_FLAG_STRIP_HIGH argument

$string = ‘<script>This is a string#$%^&!*</script>’;

echo filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); // strips high characters

As shown above, the FILTER_SANITIZE_STRING filter has the ability to clean up strings in many different fashions. Now, speaking more specifically, the first case will encode the single quotes included within the sample literal, while the second example will behave the opposite way — that is, it won’t encode the quotes, since the FILTER_FLAG_NO_ENCODE_QUOTES has been passed to the “filter_var()” function.

Finally, the last two code snippets show how to use the filter for removing high and low ASCII characters from the supplied string, according to the option specified in each case. In addition, here are a few more examples that demonstrate how to sanitize different strings by removing the high and low ASCII characters included within them:

// example on sanitizing strings using the FILTER_FLAG_ENCODE_LOW argument

$string = ‘<script>This is a string#$%^&!*</script>’;

echo filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_LOW); // encodes low characters

 

 

// example on sanitizing strings using the FILTER_FLAG_ENCODE_HIGH argument

$string = ‘<script>This is a string#$%^&!*</script>’;

echo filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); // encodes high characters

 

So far, nothing unexpected, right? As you saw earlier, the FILTER_SANITIZE_STRING filter can be used in different ways to remove and encode specific characters in a specific string. However, the filter is capable of doing a few more useful things with literals. So, in the last section of this tutorial I’m going to show you how to use it for sanitizing email addresses, as well as float and integer numbers.

Thus, to see how this will be accomplished click on the link below and read the following segment.

{mospagebreak title=Sanitizing email addresses, integers and float numbers}

As I said previously, the FILTER_SANITIZE_STRING filter has the ability to sanitize email addresses and float and integer numbers. So, to help you grasp how these tasks can be performed in a very simple way, please look at the following examples, which are pretty intuitive. Here they are:

// example sanitizing an email address using the FILTER_SANITIZE_EMAIL filter

$email = ‘alejandro(&)gervasio@domain.com’;

echo filter_var($email, FILTER_SANITIZE_EMAIL); // sanitizes email address

 

 

// example sanitizing a URL using the FILTER_SANITIZE_URL filter

$email = ‘http://www.devshed.c!m’;

echo filter_var($email, FILTER_SANITIZE_URL); // removes invalid characters from a URL

 

 

// example sanitizing an integer using the FILTER_SANITIZE_NUMBER_INT filter

$value = ’12abc345@’;

echo filter_var($value, FILTER_SANITIZE_NUMBER_INT); // sanitizes an integer

 

 

// example sanitizing a float number using the FILTER_SANITIZE_NUMBER_FLOAT filter

$value = ’12.abc345@’;

echo filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT); // sanitizes a float number and converts it to an integer

 

 

// example sanitizing a float number using the FILTER_SANITIZE_NUMBER_FLOAT filter and the FILTER_FLAG_ALLOW_FRACTION argument

$value = ’12.abc345@’;

echo filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION); // sanitizes a float number

 

 

// example sanitizing a float number using the FILTER_SANITIZE_NUMBER_FLOAT filter and the FILTER_FLAG_ALLOW_THOUSAND

$value = ’12.,abc345@’;

echo filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_THOUSAND); // sanitizes a float number

 

 

// example sanitizing magic quotes using the FILTER_SANITIZE_MAGIC_QUOTES filter

$value = "I’m Alejandro Gervasio";

echo filter_var($value, FILTER_SANITIZE_MAGIC_QUOTES);

Undoubtedly, from the code samples show previously, it’s clear to see how simple it is to use the FILTER_SANITIZE_STRING filter to perform different clean up tasks on email addresses, integers and float numbers. In each particular case a specific argument has been passed to the “filter_var()” function to accomplish a specified sanitization process, including the removal of invalid characters from an email address, float and integer numbers respectively. I’m sure that at this point you’ve grasped the logic behind using this handy filter.

With these examples I’m finishing this chapter of the series on sanitizing strings with the PHP 5 filter extension. As usual, feel free to edit all of the code samples developed in this tutorial. This way you can sharp your existing skills for working with this powerful library. The experience will be instructive, trust me.

Final thoughts

Over the eight part of this series, I discussed how to take advantage of the functionality provided by the PHP 5 filter extension, this time for sanitizing strings in all sort of clever manners. As you saw earlier, by using the FILTER_SANITIZE_STRING filter it’s possible to encode quotes, low and high ASCII characters in literals, as well as removing them in the same easy manner, which can be extremely useful for preventing SQL injections and XSS attacks when developing PHP applications.

In the last chapter, I’m going to continue reviewing a few more capabilities offered by the filter library for sanitizing strings and using callbacks functions, thus finishing this round-up on the main features packaged with this powerful PHP extension. So, my little piece of advice here is simple and straight: don’t miss the final chapter!

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan