0

I've just started attempts to validate data in PHP and I'm trying to understand this concept better. I was expecting the string passed as an argument to the $data parameter for the test_input() function to be formatted by the following PHP functions.

  1. trim() to remove white space from the end of the string
  2. stripslashes() to return a string with backslashes stripped off
  3. htmlspecialchars() to convert special characters to HTML entities

The issue is that the string that I am echoing at the end of the function is not being formatted in the way I desire at all. In fact it looks exactly the same when I run this code on my server - no white space removed, the backslash is not stripped and no special characters converted to HTML entities.

My question is have I gone about this in the wrong approach? Should I be creating the variable called $santised_input on 3 separate lines with each of the functions trim(), stripslashes() and htmlspecialchars()?

By my understanding surely I am overwriting the value of the $santised_input variable each time I recreate it on a new line of code. Therefore the trim() and stripslashes() string functions will never be executed.

What I am trying to achieve is using the "$santised_input" variable to run all of these PHP string functions when the $data argument is passed to my test_input() function. In other words can these string functions be chained together so that I only need to create $santised_input once?

<?php

function test_input($data) {
   $santised_input = trim($data);
   $santised_input = stripslashes($data);
   $santised_input = htmlspecialchars($data);
   echo $santised_input;
}

test_input("%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E\     ");

//Does not output desired result "&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;"

?>
Improve this question

4 Answers 4

Reset to default
6

You're performing each of the string functions on the original $data variable, and overwriting the value of $santised_input each time. The output will be no different from simply running the last string function and neither of the first two.

To solve, perform the latter functions on the $santised_input variable;

function test_input($data) {
   $santised_input = trim($data);
   $santised_input = stripslashes($santised_input);
   $santised_input = htmlspecialchars($santised_input);
   echo $santised_input;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks so much for clearing this up. Please can I ask one final thing? I know now that I was overwriting the value of $santised_input with $data. In the example you have posted we are using $santised_input instead of $number because this variable can store the output and then build on it each time?
Yeah, the output of the previous function is re-used in the next function each time to get the final result =]
Thanks again, you've really helped me today.
1

Edit: Sorry, misread the question. You actually can do:

$sanitised_input = htmlspecialchars(stripslashes(trim($data)));

and that should do the trick, i think.

Improve this answer

Comments

0

I never trust in this functions, I'd do with regex using preg_replace.

http://www.php.net/manual/es/function.preg-replace.php

Improve this answer

Comments

0

You should also be aware of the filtering functions added in PHP 5. filter_var

Strings can be sanitized as follows

$sanitised = filter_var($data, FILTER_SANITIZE_STRING);

There are various options you can use for sanitizing it, for example

$sanitised = filter_var($data, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);

These functions are particularly useful for validating and sanitizing URLs and emails via FILTER_SANITIZE_URL and FILTER_SANITIZE_EMAIL

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.