PHP: Use fiter_var() to sanitize data

PHP

Credit: http://code.tutsplus.com/tutorials/sanitize-and-validate-data-with-php-filters--net-2595

filter_var In Action
filter_var will do, both, sanitize and validate data. What's the difference between the two?

• Sanitizing will remove any illegal character from the data.
• Validating will determine if the data is in proper form.

Note: why sanitize and not just validate? It's possible the user accidentally typed in a wrong character or maybe it was from a bad copy and paste. By sanitizing the data, you take the responsibility of hunting for the mistake off of the user.

How to use filter_var
Using filter_var is incredibly easy. It's simply a PHP function that takes two pieces of data:

• The variable you want to check
• The type of check to use

For example, the below code will remove all HTML tags from a string:

tring = "<h1>Hello, World!</h1>";

$new_string = filter_var($string, FILTER_SANITIZE_STRING);

// $new_string is now "Hello, World!"



$ip = "127.0.0.1";

$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);

// $valid_ip is TRUE

$ip = "127.0.1.1.1.1";

$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);

// $valid_ip is FALSE

That's how simple it is to use filter_var. For a complete list of all the rules you can check against, see the end of this tutorial. Sanitizing Example Below is a quick example of sanitizing input from two fields: an email field and a home page field. This example will remove any characters that should not occur in either type of data.

<?php     if (isset($_POST['email'])) {         echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);         echo "<br/><br/>";     }     if (isset($_POST['homepage'])) {         echo filter_var($_POST['homepage'], FILTER_SANITIZE_URL);         echo "<br/><br/>";     } ?> <form name="form1" method="post" action="form-sanitize.php">     Email Address: <br/>     <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>     Home Page: <br/>     <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>     <br/>     <input type="submit" /> </form>

Then build the email message:

$mail_to = 'me@somewhere.com'; $subject = 'New Mail from Form Submission'; $message  = 'From: ' . $_POST['name'] . "\n"; $message .= 'Email: ' . $_POST['email'] . "\n"; $message .= 'Homepage: ' . $_POST['homepage'] . "\n"; $message .= "Message:\n" . $_POST['message'] . "\n\n";

And finally, send the message:

1	mail($to, $subject, $message);

However, if there were any errors, report them and have the user try again:

1	echo '<div style="color: red">' . $errors . '<br/></div>';

The completed project looks like this:

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

<?php     if (isset($_POST['Submit'])) {         if ($_POST['name'] != "") {             $_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);             if ($_POST['name'] == "") {                 $errors .= 'Please enter a valid name.<br/><br/>';             }         } else {             $errors .= 'Please enter your name.<br/>';         }         if ($_POST['email'] != "") {             $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);             if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {                 $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";             }         } else {             $errors .= 'Please enter your email address.<br/>';         }         if ($_POST['homepage'] != "") {             $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);             if (!filter_var($homepage, FILTER_VALIDATE_URL)) {                 $errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";             }         } else {             $errors .= 'Please enter your home page.<br/>';         }         if ($_POST['message'] != "") {             $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);             if ($_POST['message'] == "") {                 $errors .= 'Please enter a message to send.<br/>';             }         } else {             $errors .= 'Please enter a message to send.<br/>';         }         if (!$errors) {             $mail_to = 'me@somewhere.com';             $subject = 'New Mail from Form Submission';             $message  = 'From: ' . $_POST['name'] . "\n";             $message .= 'Email: ' . $_POST['email'] . "\n";             $message .= 'Homepage: ' . $_POST['homepage'] . "\n";             $message .= "Message:\n" . $_POST['message'] . "\n\n";             mail($to, $subject, $message);             echo "Thank you for your email!<br/><br/>";         } else {             echo '<div style="color: red">' . $errors . '<br/></div>';         }     } ?> <form name="form1" method="post" action="form-email.php"> Name: <br/> <input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/> Email Address: <br/> <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/> Home Page: <br/> <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/> Message: <br/> <textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea> <br/> <input type="submit" name="Submit" /> </form>