konfused Posted March 20, 2013 Share Posted March 20, 2013 I seem to have misunderstood the way to sanitize string, here is the code: //Is the first name present? If it is, clean itif(filter_var($_POST['fname'],FILTER_SANITIZE_STRING)){$fn = mysqli_real_escape_string($dbcon, $_POST['fname']);}else{ $errors[] = 'You forgot to enter your first name.';} It does not remove html tags What am I doing wrong please Link to comment Share on other sites More sharing options...
Antonio Conte Posted March 20, 2013 Share Posted March 20, 2013 You need to get the string returned from the function. You can't just make sure the test passes. //Is the first name present? If it is, clean it $name = filter_var($_POST['fname'], FILTER_SANITIZE_STRING)); // Make sure name is clean if( $name !== false ) { $fn = mysqli_real_escape_string($dbcon, $name); }else{ $errors[] = 'You forgot to enter your first name.'; } Return ValuesReturns the filtered data, or FALSE if the filter fails. Link to comment Share on other sites More sharing options...
konfused Posted March 21, 2013 Author Share Posted March 21, 2013 Many thanks Antonio Best wishes Link to comment Share on other sites More sharing options...
konfused Posted March 22, 2013 Author Share Posted March 22, 2013 Hello Antonio There is still a problem. Your sample code successfully removed tags such as <p></p> but when the form field is empty, it does not pop the error message into the array. Can you see what I am doing wrong please? The code is copied and posted here: //Is the first name present? If it is, clean it$name = filter_var($_POST['fname'], FILTER_SANITIZE_STRING);// Make sure name is cleanif( $name !== false ) { $fn = mysqli_real_escape_string($dbcon, $name);}else{ $errors[] = 'You forgot to enter your first name.';} Also it did not remove the angle brackets from <script> How can I persuade filter_var to clean JavaScript entries? Best wishes Link to comment Share on other sites More sharing options...
Antonio Conte Posted March 22, 2013 Share Posted March 22, 2013 Yeah, I just fixed the logical error in your code. You are missing a parameter. - http://php.net/manual/en/filter.filters.sanitize.php filter_var($var, FILTER_SANITIZE_STRING, _FLAG_HERE); I wouldn't really recommend you using that filter anyway. There's better ways to remove HTML. You could do it with one of the flags, but you'll meet problems if you want to handle UTF-8 and foreign languages. It's build on the ASCII ranges. Using the filters to escape strings, validate URLS/emails and similar is good usage, though. To remove: http://php.net/manual/en/function.strip-tags.php To convert: http://www.php.net/manual/en/function.htmlentities.php // Trim input $name = trim($_POST['fname']); // Strip HTML/convert, apply escpaping $stripped = mysqli_real_escape_string(strip_tags($name)); $converted = mysqli_real_escape_string(htmlentities($name)); // Display differences echo 'Stripped: '. $stripped . '<br />'; echo 'Converted: '. $converted . '<br />'; // Get string lengths $strLen = mb_strlen($stripped, 'utf8'); $ConLen = mb_strlen($stripped, 'utf8'); // Check stripped string if( $strLen < 1 ) { $errors[] = 'You forgot to enter your first name.'; } // Check converted string if( $ConLen < 1 ) { $errors[] = 'You forgot to enter your first name.'; } // ... Hope that helps. Again, it's not a usable solution, but examples you could apply to your own code. Link to comment Share on other sites More sharing options...
konfused Posted March 22, 2013 Author Share Posted March 22, 2013 Oh dear That looks too complicated for a mere newbie like me. I have made a copy of it for study later, but on the strength of your comment: "I wouldn't really recommend you using that filter anyway." I will revert to the simpler system and not use sanitization. I did use the filter_var validation filter successfully on email addresses but sanitization is too complex. Many Thanks for you help and patience. Best wishes Link to comment Share on other sites More sharing options...
HartleySan Posted March 22, 2013 Share Posted March 22, 2013 If you simply want to stop HTML tags from getting through, why not use strip_tags: http://php.net/manual/en/function.strip-tags.php An alternate option (with a slightly different result) is htmlentities: http://php.net/manual/en/function.htmlentities.php 1 Link to comment Share on other sites More sharing options...
Recommended Posts