how to sanitize data in php code example

Example 1: php filters

#Filter Validation

<?php
    //checks for posted data
    /*
    if(filter_has_var(INPUT_POST,'data')){
        echo 'Data Found';
    }else{
        echo 'No Data';
    }
    */
    if(filter_has_var(INPUT_POST,'data')){
        //remove illegal chars
        $email = $_POST['data'];
        $email = filter_var($email, FILTER_SANITIZE_EMAIL);
        echo $email.'<br>';

     //validate as an email address
     if(filter_input(INPUT_POST, 'data', FILTER_VALIDATE_EMAIL)){
        echo 'Email is Valid';
     }else{
        echo 'Email is not Valid';
     }
    
     //we can use the below if we use the sanatizer above
     if(filter_var($email, FILTER_VALIDATE_EMAIL)){
        echo 'Email is Valid';
     }else{
        echo 'Email is not Valid';
    }
}
    #Other Validations
    #FILTER_VALIDATE_BOOLEAN
    #FILTER_VALIDATE_EMAIL
    #FILTER_VALIDATE_FLOAT
    #FILTER_VALIDATE_INT
    #FILTER_VALIDATE_IP
    #FILTER_VALIDATE_REGEXP  'REGULAR EXPRESSION'
    #FILTER_VALIDATE_URL

    #Other sanatizes
    #FILTER_SANATIZE_EMAIL
    #FILTER_SANATIZE_ENCODED
    #FILTER_SANATIZE_NUMBER_FLOAT
    #FILTER_SANATIZE_NUMBER_INT
    #FILTER_SANATIZE_SPECIAL_CHARS
    #FILTER_SANATIZE_STRING
    #FILTER_SANATIZE_URL

    //EXAMPLE int VALIDATION
    $var = 'john';
    if(filter_var($var, FILTER_VALIDATE_INT)){
        echo '<br>'.$var.' is a number<br>';
    }else{
        echo '<br>'.$var.' is not a number'.'<br>';
    }

    //EXAMPLE int Sanitazion
    $var2 = '33k2dsdffgsdf3563sdf';
    var_dump(filter_var($var2, FILTER_SANITIZE_NUMBER_INT));

    //ARRAY USAGE
    $filters = array(
        "data" => FILTER_VALIDATE_EMAIL,
        "data2" => array(
            "filter" => FILTER_VALIDATE_INT,
            "options" => array(
                "min_range" => 1,
                "max_range" => 100
        )
        )
    );
    print_r(filter_input_array(INPUT_POST, $filters));

?>

<form method ="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
    <input type="text" name="data">
    <input type="text" name="data2">
    <button type="submit">Submit</button>
</form>

Example 2: php clean user input

<?php
    function cleanUserInput($userinput) {
  
  		// Open your database connection
      	$dbConnection = databaseConnect();
  
  		// check if input is empty
        if (empty($userinput)) {
          return;
        } else {
          
        // Strip any html characters
        $userinput = htmlspecialchars($userinput);
        
		// Clean input using the database  
        $userinput = mysqli_real_escape_string($dbConnection, $userinput);
        }
       
  	  // Return a cleaned string
      return $userinput;
    }
?>

Tags:

Php Example