php functions for sanitizing web form data [duplicate]

Question

Possible Duplicate:
Best way to prevent SQL injection in PHP?

My html web form in the php site takes data from the client side and puts it into the mysql database. I was wondering the steps needed to sanitize the data before storing it into mysql.

Assuming this sanitization would need to be performed using PHP and then inserted into Mysql, could you please let me know what all needs to be taken care of?

As a special case, apart from general sanitization, I would want to remove all special characters, spaces, and convert all characters into their lower case before putting into the database. What are the functions that I need to look at for doing this?

I'm quite new to php.

Thanks.

Also I can not imagine that the "extra" questions haven't been asked and answered before. Use the search first. — hakre
– hakre, Commented Oct 17, 2012 at 18:17

GBD · Accepted Answer · 2012-10-17 17:51:48Z

4

1.mysqli_real_escape_string() or mysql_real_escape_string() to escape quotes

2.use php filter_input for other form data

$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);

There are other options into php manual here is link

http://php.net/manual/en/function.filter-input.php

http://www.php.net/manual/en/filter.filters.sanitize.php

answered Oct 17, 2012 at 17:51

GBD

16k2 gold badges49 silver badges52 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Community · Accepted Answer · 2017-05-23 11:56:19Z

3

First of all sanitize input using mysqli_real_escape_string() which will escape quotes in the string.

you can use strtolower() for converting characters to lowercase.

Use htmlspeiclachars() to convert special characters to HTML entities

Use Regular expressions to remove white space preg_replace( '/\s+/', ' ', $whatever );

If you want to remove special characters you can use preg_replace('#[^\w()/.%\-&]#',"",$whatever); regular expression. (Source)

Other sanitization filter reference here

And last but not the least as you are a beginner I would recommend you to refer documentation

edited May 23, 2017 at 11:56

CommunityBot

11 silver badge

answered Oct 17, 2012 at 17:52

Mr. Alien

158k36 gold badges307 silver badges287 bronze badges

10 Comments

PeeHaa Over a year ago

I'm tempted to -1 for htmlentities() when in most cases htmlspeiclachars is the way to go..

hakre Over a year ago

well the answer is just misleading and repeats common misconceptions and therefore deserves a -1, not for the single function call but the overall "approach" to the "problem".

Mr. Alien Over a year ago

@PeeHaa Can edit instead of downvoting it?

Mr. Alien Over a year ago

@hakre misleading in what terms?

MrCode Over a year ago

@Mr.Alien Parameterised queries are better than escaping quotes.

|

Collectives™ on Stack Overflow

php functions for sanitizing web form data [duplicate]

2 Answers 2

Comments

10 Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

10 Comments

Linked

Related