Sanitising for HTML
$MyString = htmlspecialchars($MyString, ENT_QUOTES);
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"'
// "'" (single quote) becomes '''
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'
Convert special HTML entities back to characters
$MyString = htmlspecialchars_decode($MyString);
Sanitising for HTML from a form POST
See page here.
filter_var() function
Returns the input string filtered, or FALSE if it was unable to perform the sanitization (e.g. due to an illegal character)
if ( ($MyVariable = filter_var($EnteredEmail, FILTER_SANITIZE_EMAIL)) !== False )
See here for all the available filter options
See here for examples of using filter_var().
URL Encode and Decode
Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs. A space is encoded to %20 in URLs, and to + in forms submitted data (content type application/x-www-form-urlencoded).
$UrlString = urlencode($OriginalString);
$OriginalString = urldecode($UrlString);
Example
$MyString = "This is my sample text, with special chars. #%!\"'^-_£&";
echo "Start string: $MyString<br>";
$MyString = urlencode($MyString);
echo "urlencode(): $MyString<br>";
$MyString = urldecode($MyString);
echo "urldecode(): $MyString<br>";
//Produces:
// Start string: This is my sample text, with special chars. #%!"'^-_£&
// urlencode(): This+is+my+sample+text%2C+with+special+chars.+%23%25%21%22%27%5E-_%C2%A3%26
// urldecode(): This is my sample text, with special chars. #%!"'^-_£&
If wanting to pass a file url in an argument you can do this
//The HTML Link with the URL argument
$Url .= '<a href="/my_file?iurl=' . urlencode($MyStringContainingAUrl) . '/" >'; //We add a trailing '/' otherwise a file extension period '.' in $MyStringContainingAUrl buggers up the argument being seen as one and not a file link to the browser
//The page the argument was passed to
$MyStringContainingAUrl .= '<img src="' . rtrim(urldecode($_REQUEST['iurl']), '/') . '" >'; //Remove the trailing '/' that was added to avoid the period breaking the url argument
PHP adds back slash before forward slash
(e.g. / becomes \/ )
It’s a JSON issue. JSON escapes all special characters by default. When decoded, you will get original value back without the backslash. If its causing issues you need to resolve see stripslashes tip about needing to be at final echo here.
General PHP only use
function SanitizeString($var)
{
$var = strip_tags($var);
$var = htmlentities($var);
return stripslashes($var);
}
//OR JUST USE THIS
$my_string = stripslashes(htmlentities(strip_tags($my_string)));
htmlentities
htmlentities() converts things like < > ” \ etc into HTML strings like < so they become harmless.
$CameFromPage = htmlentities($_SERVER['HTTP_REFERER']);
Stopping New Lines In A Text Box Being Converted To <br />
$my_text = mysqli_real_escape_string($dblink, str_replace("\r\n"," ",$_POST['myform_text_field']));