Sanitizing means cleaning up the data in your form, to prevent malicious scripts from executing. You need to be careful when receiving input from any form, since forms are a way for users to pass information to your server. Malicious users can sometimes try to get access to sensitive information by exploiting unsafe pages. The most misuse security threats happen when your form is saving information to an existing database, outputting the info to a page or emailing data to someone else. If you've been following along with this video, you've already learned how to use regular expressions to validate user input.
One way to sanitize your input is to check what the user types versus regular expression patterns. PHP also has a lot of functions that can help you prevent the misuse of your forms. Which ones you use depends on the context of what you're trying to prevent. Strip_tags() removes HTML tags from input fields. It's useful if you want to strip any links or other code out of the text. You can take a look at the PHP manual for more information about strip_tags() Htmlspecialchars() converts some characters to HTML entities.
So, for example the less than or greater than signs become ampersand lt and ampersand gt. If some user input gets printed, it won't become a part of your page. For example, somebody might type in a script tag or a closing body tag and when that prints out, it would stop your page or create a script that runs. Here's the page for html special characters and the phpWebSite. HTML entities is pretty much like HTML special characters, but it converts as many characters as possible.
It has a lot of parameters to allow you to control what gets converted. Here is a page for that function. Mysqli_real_escape_string is used for database sanitizing. It removes special characters that could be considered dangerous when passed into a database. The last function, filter_var, is the most powerful and flexible of all the functions. It lets you do what all the other functions do and provides a number of filters and configurations for customization.
Here's a page in the phpWebSite. And you want to make sure you click on the types of filters to take a look at all of the different kinds of filters available. So there's Validation filters and Sanitization filters. So let's click on those. You could see that every one of those filters has a lot of options. Let's try this out on our page. I'm going to modify the common field, so you can't put HTML tags in there. So, I need to go all the way to the bottom and add a small thing to the label, that will just let people know that HTML is not allowed.
Then I'm going to go to the top and find the place where I check for the comment section, and that's right here. So I'm checking the post variable for comments. And what I want to do here is use the filtervar function, pass along the comments from the post superglobal, as well as the constant that I want to filter with. And I'm just going to sanitize string which will remove any HTML special characters. And I need to make my comments be equal to all that.
What I'm doing here is taking the variable my comments and running a filter sanatizing the string from the posted comments. So let's go ahead and save this, and I'm going to refresh this page, just reload the form. Notice that it says, HTML is not allowed. And I'll try typing something in here with HTML. I'm going to hit Send, and when this reloads, the tag is gone from the bold word. Most of the time you should be using the filter_var function.
You will often see the mysqli_real_escape_string function used in database applications. Some of these functions require different versions of PHP, so if you have a server running on PHP4, some of the more convenient modern functions are not going to work.
- Understanding forms
- Adding required fields and placeholders
- Accepting multiple entries
- Limiting uploads
- Handling focus changes
- Validating with regular expressions
- Working with older browsers
- Building jQuery validation
- Using server-side validation
- Sanitizing form input
- Uploading files
- Sending form data to a database