Santizing Strings

[konfused]

I seem to have misunderstood the way to sanitize string, here is the code:

 

//Is the first name present? If it is, clean it
if(filter_var($_POST['fname'],FILTER_SANITIZE_STRING)){
$fn = mysqli_real_escape_string($dbcon, $_POST['fname']);
}else{                                    
$errors[] = 'You forgot to enter your first name.';
}

 

It does not remove html tags

 

What am I doing wrong please

 

[Antonio Conte]

You need to get the string returned from the function. You can't just make sure the test passes.

 

//Is the first name present? If it is, clean it
$name = filter_var($_POST['fname'], FILTER_SANITIZE_STRING));

// Make sure name is clean
if( $name !== false ) {
    $fn = mysqli_real_escape_string($dbcon, $name);
}else{                                    
    $errors[] = 'You forgot to enter your first name.';
}

 

Return Values

Returns the filtered data, or FALSE if the filter fails.

[konfused]

Many thanks Antonio

 

Best wishes

[konfused]

Hello Antonio

 

There is still a problem.

 

Your sample code successfully removed tags such as <p></p> but when the form field is empty, it does not pop the error message into the array. Can you see what I am doing wrong please?

The code is copied and posted here:

//Is the first name present? If it is, clean it
$name = filter_var($_POST['fname'], FILTER_SANITIZE_STRING);
// Make sure name is clean
if( $name !== false ) {
    $fn = mysqli_real_escape_string($dbcon, $name);
}else{                                    
    $errors[] = 'You forgot to enter your first name.';
}

 

Also it did not remove the angle brackets from <script>

How can I persuade filter_var to clean JavaScript entries?

Best wishes

[Antonio Conte]

Yeah, I just fixed the logical error in your code. You are missing a parameter.

- http://php.net/manual/en/filter.filters.sanitize.php

 

filter_var($var, FILTER_SANITIZE_STRING, _FLAG_HERE);

I wouldn't really recommend you using that filter anyway. There's better ways to remove HTML. You could do it with one of the flags, but you'll meet problems if you want to handle UTF-8 and foreign languages. It's build on the ASCII ranges. Using the filters to escape strings, validate URLS/emails and similar is good usage, though.

 

To remove: http://php.net/manual/en/function.strip-tags.php

To convert: http://www.php.net/manual/en/function.htmlentities.php

 

// Trim input
$name = trim($_POST['fname']);

// Strip HTML/convert, apply escpaping
$stripped = mysqli_real_escape_string(strip_tags($name));
$converted = mysqli_real_escape_string(htmlentities($name));

// Display differences
echo 'Stripped: '. $stripped . '<br />';
echo 'Converted: '. $converted . '<br />';

// Get string lengths
$strLen = mb_strlen($stripped, 'utf8');
$ConLen = mb_strlen($stripped, 'utf8');

// Check stripped string
if( $strLen < 1 ) {
    $errors[] = 'You forgot to enter your first name.';
}

// Check converted string
if( $ConLen < 1 ) {
    $errors[] = 'You forgot to enter your first name.';
}

// ...

 

Hope that helps. Again, it's not a usable solution, but examples you could apply to your own code.

[konfused]

Oh dear

 

That looks too complicated for a mere newbie like me. I have made a copy of it for study later, but on the strength of your comment: "I wouldn't really recommend you using that filter anyway." I will revert to the simpler system and not use sanitization. I did use the filter_var validation filter successfully on email addresses but sanitization is too complex.

 

Many Thanks for you help and patience.

Best wishes

[HartleySan]

If you simply want to stop HTML tags from getting through, why not use strip_tags:

http://php.net/manual/en/function.strip-tags.php

 

An alternate option (with a slightly different result) is htmlentities:

http://php.net/manual/en/function.htmlentities.php