PHP Sanitize Data

Introduction

Sanitizing data is a very important step, especially when you are dealing with user data.

What does it mean to sanitize data?

It means to clean up your data by using deleting, replacing, encoding, or escaping techniques.

Sanitize Data

Do you remember when we used filters to validate email?

We are going to use the same function but with different flags to sanitize data

So let’s see an example

filter_var($string, FILTER_SANITIZE_STRING);

Here it doesn’t validate the data to tell us if it’s string or not. It sanitizes it. It cleans up the string.

So if we have an input like this:

$string = '<p>here is a html paragraph</p>';

It would clean and return this:

$filtered = filter_var($string, FILTER_SANITIZE_STRING);
// here is a html paragraph

As you can see it has removed the html tags for us.

Here is a list of most useful flags to sanitize your data

FILTER_SANITIZE_STRING

Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters.

if you are using PHP < 8.1 this filter is very useful and powerful. However, If you are using PHP > 8.1, this filter is no longer available and it is recommended to use FILTER_SANITIZE_FULL_SPECIAL_CHARS which I will explain in this post OR use htmlspecialcharacters function instead

$string = '<p>here is a html paragraph</p>';
$filtered = filter_var($string, FILTER_SANITIZE_STRING);
// here is a html paragraph

FILTER_SANITIZE_EMAIL

Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].

$string = '<example>email@test€.com';
$filtered = filter_var($string, FILTER_SANITIZE_EMAIL);
// exampleemail@test.com

FILTER_SANITIZE_URL

Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.

$string = '<example>url°test€.com';
$filtered = filter_var($string, FILTER_SANITIZE_URL);
// <example>urltest.com

FILTER_SANITIZE_ENCODED

URL-encode string, optionally strip or encode special characters.

$string = 'test=example query & another=test query!';
$filtered = filter_var($string, FILTER_SANITIZE_ENCODED);
// test%3Dexample%20query%20%26%20another%3Dtest%20query%21

FILTER_SANITIZE_ADD_SLASHES

Apply addslashes().

$string = "have you visited amir's website!";
$filtered = filter_var($string, FILTER_SANITIZE_ADD_SLASHES);
// have you visited amir\'s website!

FILTER_SANITIZE_NUMBER_FLOAT

Remove all characters except digits, +- and optionally .,eE. 

You should add the option FILTER_FLAG_ALLOW_FRACTION if you want to keep the decimals.

$string = "$616.15&";
$filtered = filter_var($string, FILTER_SANITIZE_NUMBER_FLOAT,FILTER_FLAG_ALLOW_FRACTION);
// 616.15

FILTER_SANITIZE_NUMBER_INT

Remove all characters except digits, plus and minus sign.

$string = "$-15&";
$filtered = filter_var($string, FILTER_SANITIZE_NUMBER_INT);
// -15

FILTER_SANITIZE_FULL_SPECIAL_CHARS

Equivalent to calling htmlspecialchars() with ENT_QUOTES set.

$string = "characters like < and &";
$filtered = filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
// characters like &lt; and &amp;

You can see a list of all the filters and flags on php's official website.

Conclusion

Now you know about Sanitizing data in PHP.

I recommend you to open a PHP files and try to Sanitizing different types of data.

If you have any suggestions, questions, or opinions, please contact me. I’m looking forward to hearing from you!

Key takeaways

• Sanitizing data in php
• filter var
• cleaning up the data in php
• FILTER_SANITIZE_STRING
• FILTER_SANITIZE_EMAIL
• FILTER_SANITIZE_URL
• FILTER_SANITIZE_ENCODED
• FILTER_SANITIZE_ADD_SLASHES
• FILTER_SANITIZE_NUMBER_FLOAT
• FILTER_SANITIZE_NUMBER_INT