If you develop an application that uses data retrieved from remote sources, that data must always be sanitised before it's displayed to the user. If you don't, attackers can embed malicious content in your web pages without your knowledge. Most often, these attacks consist of sending your application cleverly disguised input that tricks it into doing something it shouldn't. A common example of this type of exploit is the "SQL injection attack," where an attacker remotely manipulates your database with an SQL query embedded in a form input. Therefore, one of the most important things a developer must do before using user input is to "clean up" the input by removing any special characters or symbols.
There are different approaches to sanitize the user's input, but in this tutorial, we'll focus on the filter_var function that is available since PHP version 5.2. PHP’s filtering extension empowers you to either validate that data matches a specific format or type, or to sanitize any data that fails that validation.
Let's consider an example of a field in which the user is supposed to validate his email address and we wish to sanitize the value entered in it with the PHP filter_var function.The filter_var function can be used to either validate the input (check if the entered value matches the required format) or to sanitize it (remove any unwanted characters).
In the following example if an user email is
$email="whatever@whatever.com";
and we use
filter_var($email, FILTER_SANITIZE_EMAIL);
the function will return whatever@whatever.com
and if we have
$email="whatever@whatever.com";
then the function will return
whatever@whatever.comsomething
If we use the same example but with the FILTER_VALIDATE_EMAIL parameter then the first call will again return whatever@whatever.com, but the second will return "false".
With the FILTER_VALIDATE parameter if the entered value doesn't match the required format, then the filter_var function returns false.
Whether you want to clean or validate your input data depends largely on what you want to use the resulting data for. If you just want to keep invalid characters out of a data store, cleansing may be the right approach. If you want to ensure that the data is both within the expected character set and represents a valid input, data validation is the safer bet.
You may find below some of most used sanitize filters -
FILTER_SANITIZE_EMAIL
Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].
FILTER_SANITIZE_NUMBER_FLOAT
Remove all characters except digits, +- and optionally .,eE.
FILTER_SANITIZE_NUMBER_INT
Remove all characters except digits, plus and minus sign.
FILTER_SANITIZE_SPECIAL_CHARS
HTML-encode '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
FILTER_SANITIZE_FULL_SPECIAL_CHARS
Equivalent to calling htmlspecialchars() with ENT_QUOTES set.
FILTER_SANITIZE_STRING
Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters.
FILTER_SANITIZE_URL
Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
and also validate filters -
FILTER_VALIDATE_BOOLEAN
Returns true for "1", "true", "on" and "yes"
FILTER_VALIDATE_DOMAIN
Validates whether the domain name label lengths are valid.
FILTER_VALIDATE_EMAIL
Validates whether the value is a valid e-mail address.
FILTER_VALIDATE_FLOAT
Validates value as float, optionally from the specified range, and converts to float on success.
FILTER_VALIDATE_INT
Validates value as integer, optionally from the specified range, and converts to int on success.
FILTER_VALIDATE_IP
Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.
FILTER_VALIDATE_REGEXP
Validates value against regexp
FILTER_VALIDATE_URL
Validates value as URL
To read more about filter_var and see other practical examples, please visit https://www.php.net/manual/en/function.filter-var.php
