tags:

views:

159

answers:

4
+1  Q: 

PHP - Sanitise a comma seperated string

What would be the most efficient way to clean a user input that is a comma seperated string made entirely on numbers - e.g

2,40,23,11,55

I use this function on a lot of my inputs 

function clean($input){ $input=mysql_real_escape_string(htmlentities($input,ENT_QUOTES)); return $input; }

And on simple integers I do:

if (!filter_var($_POST['var'], FILTER_VALIDATE_INT)) {echo('error - bla bla'); exit;}

So should I explode it and then check every element of the array with the code above or maybe replace all occurances of ',' with '' and then check the whole thing is a number? What do you guys think?

+2  A:  
if (ctype_digit(str_replace(",", "", $input))) {
  //all ok. very strict. input can only contain numbers and commas. not even spaces
} else {
  //not ok
}

If it is CSV and if there might be spaces around the digits or commas and maybe even some quotation marks better use a regex to check if it matches

jitter  2009-11-17 16:30:27
You may want to remove white space as well - depends on the "csv" one is dealing with.
micahwittman  2009-11-17 16:35:25
Thanks didn't notice the csv tag
jitter  2009-11-17 16:38:14
+2  A:  
if (!preg_match('/\A\d+(,\d+)*\z/', $input)) die('bad input');
Mister  2009-11-17 16:31:31
A: 

If you want to transform a comma-separated list instead of simply rejecting it if it's not formed correctly, you could do it with array_map() and avoid writing an explicit loop.

$sanitized_input = implode(",", array_map("intval", explode(",", $input)));
Bill Karwin  2009-11-17 17:02:48
I was going to agree that personally, I don't bother error checking, I just filter, but then I noticed that your code inserts zeros when there are two commas side-by-side.
Tchalvak  2009-11-17 17:16:19
Yes, good point.
Bill Karwin  2009-11-17 17:29:21
A: 

I would filter instead of error checking on simple input, though only 'cause I'm lazy, I suppose, and usually in a web context there's way too many cases to handle on what could be coming in that I wouldn't expect: Simple filter below.

<?php
$input = '234kljsalkdfj234a,a, asldkfja 345345sd,f jasld,f234l2342323@#$@#';
function clean($dirty){ // Essentially allows numbers and commas, just strips everything else.
    return preg_replace('/[^0-9,]/', "", (string) $dirty);
}

$clean = clean($input);

echo $clean;
// Result: 234234,,345345,,2342342323
// Note how it doesn't deal with adjacent filtered-to-empty commas, though you could handle those in the explode.  *shrugs*

?>

Here's the code and the output on codepad:

http://codepad.org/YfSenm9k

Tchalvak  2009-11-17 17:19:55

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases