PHP用户输入数据过滤以提交到MySQL数据库-建议

Question

I'm building a class for filtering data, and I've been compiling various recommendations.

This is primarily to avoid faulty data from user input in the database, and also an additional level to help prevent not yet thought of types of injection attacks, etc. (NOTE: this does NOT replace the need to also use prepared statements with any data submitted to a database.)

As much as possible, I do not want to return an error, I want to "make the data work". It's assuming someone accidentally typed a ; or ' etc. in an input field, where it can't be accepted. Or left in thousand separators (,) in a number where they shouldn't be. So just take it out and continue.

I wanted to put this out there for others to critique and use. I know there are other questions about this type of thing, but I haven't seen any with a combined recommendation for various types.

My question is - what would you do differently? Would you be concerned about users entering a number like "47387.284.02"? If so, how could I eliminate the the second dot (decimal point, period) and everything after? (While still allowing numbers like ".75" and "10.20")

// Use for numbers - integers, floats
function filterNumbers($data) {
    $data = trim(htmlentities(strip_tags($data)));
    $data = preg_replace('/[^.0-9]/', "", $data); // only numeric values allowed (and decimal point)
    $data = filter_var($data, FILTER_SANITIZE_NUMBER_FLOAT,FILTER_FLAG_ALLOW_FRACTION);
    $data = mysqli_real_escape_string($GLOBALS['con2'], $data);
    return $data;
}

// Use for short strings - alphanumeric only - usernames, varieties, etc.
function filterExtreme($data) {
    $data = trim(htmlentities(strip_tags($data)));
    $data = preg_replace('/[^ ._A-Za-z0-9]/', "", $data);
    $data = mysqli_real_escape_string($GLOBALS['con'], $data);
    return $data;
}

// Use for email addresses
function filterEmail($data) {
    $data = filter_var($data, FILTER_SANITIZE_EMAIL);
    $data = mysqli_real_escape_string($GLOBALS['con'], $data);
    return $data;
}

// Use for comments where some special characters may be desired
function filterComment($data) {
    $data = trim(htmlentities(strip_tags($data)));
    $data = filter_var($data, FILTER_SANITIZE_STRING,FILTER_FLAG_ENCODE_HIGH);
    $data = mysqli_real_escape_string($GLOBALS['con'], $data);
    return $data;
}

Note: $con is the connection details to the MySQL database.

Answer 1

You are correct to be concerned with proper data entry, but I agree with Bill Karwin's comments above (I can't make a comment due to my rep). There's no way to know the user's intent, so "making it work" might make things worse for them in the end. If they entered a ';' then it's possible they got something else wrong too.

Preventing unwanted character entry should be handled via the interface as much as possible, and your back-end code should simply test for compliance. If it fails, return an error code and let the front-end deal with it.

Stripping commas from numbers or trimming white-space probably isn't too bad, but that's also something I'd try to handle on the front whenever possible. You just have to deal with it as needed.