Sanitising & encoding strings

Sanitising for HTML

$MyString = htmlspecialchars($MyString, ENT_QUOTES);
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"'
// "'" (single quote) becomes '''
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'
Convert special HTML entities back to characters
$MyString = htmlspecialchars_decode($MyString);

Sanitising for HTML from a form POST

See page here.

filter_var() function

Returns the input string filtered, or FALSE if it was unable to perform the sanitization (e.g. due to an illegal character)

  if ( ($MyVariable = filter_var($EnteredEmail, FILTER_SANITIZE_EMAIL)) !== False )

See here for all the available filter options

See here for examples of using filter_var().

URL Encode and Decode

Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs. A space is encoded to %20 in URLs, and to + in forms submitted data (content type application/x-www-form-urlencoded).

  $UrlString = urlencode($OriginalString);
  $OriginalString = urldecode($UrlString);
Example
  $MyString = "This is my sample text, with special chars. #%!\"'^-_£&";
  echo "Start string: $MyString<br>";
  
  $MyString = urlencode($MyString);
  echo "urlencode(): $MyString<br>";
  
  $MyString = urldecode($MyString);
  echo "urldecode(): $MyString<br>";

  //Produces:
  //  Start string: This is my sample text, with special chars. #%!"'^-_£&
  //  urlencode(): This+is+my+sample+text%2C+with+special+chars.+%23%25%21%22%27%5E-_%C2%A3%26
  //  urldecode(): This is my sample text, with special chars. #%!"'^-_£&
If wanting to pass a file url in an argument you can do this
//The HTML Link with the URL argument  
$Url .= '<a href="/my_file?iurl=' . urlencode($MyStringContainingAUrl) . '/" >';    //We add a trailing '/' otherwise a file extension period '.' in $MyStringContainingAUrl buggers up the argument being seen as one and not a file link to the browser
  
//The page the argument was passed to
$MyStringContainingAUrl .= '<img src="' . rtrim(urldecode($_REQUEST['iurl']), '/') . '" >';      //Remove the trailing '/' that was added to avoid the period breaking the url argument

PHP adds back slash before forward slash

(e.g. / becomes \/ )

It’s a JSON issue. JSON escapes all special characters by default. When decoded, you will get original value back without the backslash. If its causing issues you need to resolve see stripslashes tip about needing to be at final echo here.

General PHP only use

function SanitizeString($var)
{
	$var = strip_tags($var);
	$var = htmlentities($var);
	return stripslashes($var);
}
//OR JUST USE THIS
$my_string = stripslashes(htmlentities(strip_tags($my_string)));

htmlentities

htmlentities() converts things like < > ” \ etc into HTML strings like &lt; so they become harmless.

  $CameFromPage = htmlentities($_SERVER['HTTP_REFERER']);

Stopping New Lines In A Text Box Being Converted To <br />

$my_text = mysqli_real_escape_string($dblink, str_replace("\r\n"," ",$_POST['myform_text_field']));
Feel free to comment if you can add help to this page or point out issues and solutions you have found. I do not provide support on this site, if you need help with a problem head over to stack overflow.

Comments

Your email address will not be published. Required fields are marked *