3

What are some good PHP html (input) sanitizers?

Preferably, if something is built in - I'd like to us that.

UPDATE:

Per the request, via comments, input should not allow HTML (and obviously prevent XSS & SQL Injection, etc).

Improve this question
5
  • I think this question needs some more info; are you talking about allowing the user to input HTML directly, and sanitizing it to remove tags like <script>? In the meantime, I'd say some basic suggested reading for anyone looking for similar info would be the section on Filtering Input in the book "Essential PHP Security" - books.google.ca/… Commented Apr 30, 2010 at 14:24
  • for what certain purpose you need your sanitization? Commented Apr 30, 2010 at 14:27
  • Take a look at this question: stackoverflow.com/questions/1383756/… Commented Apr 30, 2010 at 15:36
  • @Boris, the link you provided seems to only be relevant for XSS. What about SQL Injection? Commented Apr 30, 2010 at 15:48
  • SQL Injection is SQL server dependant, you should no rely on third part library but on the functions provided by your sql software, like mysql_real_escape_string() for MySQL Commented May 3, 2010 at 10:15

4 Answers 4

Reset to default
2

html purifier -> http://htmlpurifier.org/

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hm. It says it removes XSS attacks, but my XSS-attack string (from ha.ckers.org/xss.html) came cleanly through.
0

I've always used PHP's addslashes() and stripslashes() functions, but I also just saw the built-in filter_var() function (link). Looks like there are quite a few built-in filters.

Improve this answer

1 Comment

for what purpose did you use PHP's addslashes() and stripslashes() functions?
0

If you want to run a query that use let's say $_GET['user'] a nice solution would be to do something like this using mysql_real_escape_string():

<?php

    $user = mysql_real_escape_string($_GET['user']);
    $SQL = "SELECT * FROM users WHERE username = '$name'";

    //run $SQL now
    ...
?>

If you want to store a text in a database and then print it on a web page, consider use htmlentities

[Edit]Or as awshepard said, you can use addslashes() and stripslashes() functions[/Edit]

Here is a little example of sanitization when it comes to prevent XSS attacks:

<?php
    $str = "A 'quote' is <b>bold</b>";

    //Outputs: A 'quote' is <b>bold</b>
    echo $str;

    // Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
    echo htmlentities($str);

    // Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
    echo htmlentities($str, ENT_QUOTES);
?>
Improve this answer

3 Comments

Wouldn't your MySQL example open you up to SQL Injection (your example should use Prepared Statements)
I don't use Prepared Statements. I use mysql_real_escape_string(), as in the example, a lot in my PHP code and until now I was unable to find a way to exploit the code I written. Maybe I don't see a possible attack vector that can bypass mysql_real_escape_string(), so if you have an example please let me know. I always want to learn something new.
@Dr Optix, StackOverflow confirms that mysql_real_escape_string() does not always prevent SQL Injection --> stackoverflow.com/questions/1220182/…
0

use

 $input_var=sanitize_input($_POST);

and functions are below, almost sanitize everthing u need

function sanitize($var, $santype = 1){
     if ($santype == 1) {return strip_tags($var);}
     if ($santype == 2) {return htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8');}
     if ($santype == 3) 
     {
      if (!get_magic_quotes_gpc()) {
       return addslashes(htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8'));
      } 
      else {
         return htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8');
      }
     }
    }

    function sanitize_input($input,$escape_mysql=false,$sanitize_html=true,
             $sanitize_special_chars=true,$allowable_tags='<br><b><strong><p>')
    {
      unset($input['submit']); //we use 'submit' variable for all of our form

      $input_array = $input;

      //array is not referenced when passed into foreach
      //this is why we create another exact array
      foreach ($input as $key=>$value)
      {
       if(!empty($value))
       {
        $input_array[$key]=strtolower($input_array[$key]);
        //stripslashes added by magic quotes
        if(get_magic_quotes_gpc()){$input_array[$key]=sanitize($input_array[$key]);} 

        if($sanitize_html){$input_array[$key] = strip_tags($input_array[$key],$allowable_tags);}

        if($sanitize_special_chars){$input_array[$key] = htmlspecialchars($input_array[$key]);}    

        if($escape_mysql){$input_array[$key] = mysql_real_escape_string($input_array[$key]);}
       }
      }

      return $input_array;

    }

Remember : it will not sanitize multidimensional array, u need to modify it recursively.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.