Is filter_var any good for filtering data? What kind of bad data will it filter? I do use mysql_real_escape_string but I wonder if adding filter_var will help?
views:
535answers:
4
+1
A:
It really depends what you're trying to do, I can't really answer without knowing specifics. The possible filters and their effects are listed here: Types of filters
Chad Birch
2009-03-18 17:09:27
Basically to filter and validate any xss or mysql exploits coming from user input.
mikelbring
2009-03-18 17:11:09
There are too many ways (http://ha.ckers.org/xss.html) of XSS and SQL injections. It all depends on your application how it processed the user data.
Gumbo
2009-03-18 17:23:49
+2
A:
To defend from SQL injection use prepared statements if possible. If not, use mysql_real_escape_string for strings, (int) casting or intval() for integers, (float) or floatval() for floats and addcslashes($input, '%_') for strings to be used inside LIKE statements. Things get even more complicated when trying to escape strings to be used inside RLIKE statements.
For filtering HTML content, the best would be strip_tags (without passing $allowable_tags), but... you may not like/want it, in which case the most affordable solution is:
$escaped = htmlspecialchars($input, ENT_QUOTES, $your_charset);
A more reliable solution would be to use a library like HTML Purifier
Filter functions are OK, but some of them are more validators than filters. Depending on your needs you may find some of them useful.
Ionuț G. Stan
2009-03-18 17:24:53
bobince
2009-03-19 10:10:34
A:
You adjust filter_var by using it with the FILTER_* constants. It sounds like you're looking for sanitisation of data (actually adjusting the data to make it safe*) rather than validation (checking the data is safe).
Different filters can help with different tasks. While mysql_real_escape_string is ok for sanitising data to prevent SQL injection it's no good for outputting data that may contain HTML. Here's a couple of filter's I'd use for everyday tasks:
FILTER_SANITIZE_SPECIAL_CHARS- useful for displaying (not removing) HTML code, preventing XSS attacks and converting symbols to HTML entities.FILTER_SANITIZE_STRINGwith theSTRIP_LOW/HIGHflags - actually removes HTML (seestrip_tags).FILTER_SANITIZE_URL- makes URLs safe*.FILTER_SANITIZE_EMAIL- makes email addresses safe, although I'd prefer to use it's validation cousin before storing the address.
* I use safe loosely, I'm of the opinion that you can never be too sure.
Ross
2009-03-18 17:28:08
A:
Just based on some minor testing, I've come to the conclusion that filter_var's constants are not trustworthy.
For example:
filter_var('[email protected]', FILTER_VALIDATE_EMAIL); // valid
filter_var('http://.', FILTER_VALIDATE_URL); // valid
filter_var('[email protected]', FILTER_SANITIZE_EMAIL); // [email protected]
filter_var('http://.', FILTER_SANITIZE_URL); // http://.
These are clearly invalid values, but pass filter_var's constants. Do not trust filter_var.
eyelidlessness
2009-03-31 04:45:39
@Mathew, you're correct but I'm not sure what that has to do with the problems with `filter_var` I pointed out. It will neither correctly filter nor correctly sanitize the inputs I provided.
eyelidlessness
2010-07-16 16:49:58