PHP Sanitize Data
Last Updated on Feb 15, 2023
Introduction
Sanitizing data is a very important step, especially when you are dealing with user data.
What does it mean to sanitize data?
It means to clean up your data by using deleting, replacing, encoding, or escaping techniques.
Sanitize Data
Do you remember when we used filters to validate email?
We are going to use the same function but with different flags to sanitize data
So let’s see an example
filter_var($string, FILTER_SANITIZE_STRING);
Here it doesn’t validate the data to tell us if it’s string or not. It sanitizes it. It cleans up the string.
So if we have an input like this:
$string = '<p>here is a html paragraph</p>';
It would clean and return this:
$filtered = filter_var($string, FILTER_SANITIZE_STRING);
// here is a html paragraph
As you can see it has removed the html tags for us.
Here is a list of most useful flags to sanitize your data
FILTER_SANITIZE_STRING
Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters.
if you are using PHP < 8.1 this filter is very useful and powerful. However, If you are using PHP > 8.1, this filter is no longer available and it is recommended to use FILTER_SANITIZE_FULL_SPECIAL_CHARS which I will explain in this post OR use htmlspecialcharacters function instead
$string = '<p>here is a html paragraph</p>';
$filtered = filter_var($string, FILTER_SANITIZE_STRING);
// here is a html paragraph
FILTER_SANITIZE_EMAIL
Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].
$string = '<example>email@test€.com';
$filtered = filter_var($string, FILTER_SANITIZE_EMAIL);
// exampleemail@test.com
FILTER_SANITIZE_URL
Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
$string = '<example>url°test€.com';
$filtered = filter_var($string, FILTER_SANITIZE_URL);
// <example>urltest.com
FILTER_SANITIZE_ENCODED
URL-encode string, optionally strip or encode special characters.
$string = 'test=example query & another=test query!';
$filtered = filter_var($string, FILTER_SANITIZE_ENCODED);
// test%3Dexample%20query%20%26%20another%3Dtest%20query%21
FILTER_SANITIZE_ADD_SLASHES
Apply addslashes().
$string = "have you visited amir's website!";
$filtered = filter_var($string, FILTER_SANITIZE_ADD_SLASHES);
// have you visited amir\'s website!
FILTER_SANITIZE_NUMBER_FLOAT
Remove all characters except digits, +- and optionally .,eE.
You should add the option FILTER_FLAG_ALLOW_FRACTION if you want to keep the decimals.
$string = "$616.15&";
$filtered = filter_var($string, FILTER_SANITIZE_NUMBER_FLOAT,FILTER_FLAG_ALLOW_FRACTION);
// 616.15
FILTER_SANITIZE_NUMBER_INT
Remove all characters except digits, plus and minus sign.
$string = "$-15&";
$filtered = filter_var($string, FILTER_SANITIZE_NUMBER_INT);
// -15
FILTER_SANITIZE_FULL_SPECIAL_CHARS
Equivalent to calling htmlspecialchars() with ENT_QUOTES set.
$string = "characters like < and &";
$filtered = filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
// characters like < and &
You can see a list of all the filters and flags on php's official website.
Conclusion
Now you know about Sanitizing data in PHP.
I recommend you to open a PHP files and try to Sanitizing different types of data.
If you have any suggestions, questions, or opinions, please contact me. I’m looking forward to hearing from you!
Key takeaways
- Sanitizing data in php
- filter var
- cleaning up the data in php
- FILTER_SANITIZE_STRING
- FILTER_SANITIZE_EMAIL
- FILTER_SANITIZE_URL
- FILTER_SANITIZE_ENCODED
- FILTER_SANITIZE_ADD_SLASHES
- FILTER_SANITIZE_NUMBER_FLOAT
- FILTER_SANITIZE_NUMBER_INT