Sanitizing user input, is it safe?
Question
I want to know the most secure way to sanitize data that is given to a PHP script, this is the function I have come up with, do you think that it's safe enough to use?
function santatizeName($data)
{
$data = filter_var($data, FILTER_SANITIZE_STRING);
$data = preg_replace('/[^a-z]/i','',$data); //Removes everything but letters.
$data = ucfirst($data); //Capatilizes first letter.
return $data;
}
Would love your feedback, new to PHP security.
3 answers
solution1
2 2013-01-16 01:05:27
The concept of input sanitation is actually futile on strings, given the business need of using all characters in most fields, especially in name fields (think Mr. O'Hara, Mrs. Smith-Meyer and Mr. Möller), and given the fact that almost any character is dangerous in some other context. You should look into properly escaping/encoding your string data whenever it changes context (such as when you put it into a database query, shell command, or input into dynamically generated HTML/CSS/JS/whatever). Use safe APIs for DB access, such as prepared statements, instead of constructing SQL by string concatenation.
That being said, you might find the OWASP PHP filters or OWASP ESAPI for PHP useful.
solution2
1 2013-01-16 00:57:00
You might want to review the following php documentation regarding sanitization filters.
http://php.net/manual/en/filter.filters.sanitize.php
and
solution3
0 2013-01-16 01:00:39
查看http://htmlpurifier.org/虽然它不仅仅是消毒。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.