Php username filter / validate

Question

I just wanted to ask if this is a secure way to let a user choose his username(user can use every digit):

if($_POST['username'] != "") {
    $username = trim($_POST['username']);
    $username = filter_var($username, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
}

After this snippet I use PDO (prepared statement) to insert data in database.

You think this is secure enough or did I forget some important points?

score 1 · Answer 1 · edited May 23 '17 at 10:28

1

According to PHP Documentation - Filter flags:

FILTER_FLAG_STRIP_LOW Strips characters that has a numerical value <32

This option is good for username validation, however, for preventing SQL injection attack, you should use parametrized prepared statement (using placeholders) for more information please refer to this tutorial: https://stackoverflow.com/tags/pdo/info and How can I prevent SQL injection in PHP?

Because without using placeholders, even if you use prepared statement, userinput data will not be escaped by server.

edited May 23 '17 at 10:28

Community

1
1

answered Apr 06 '14 at 21:46

Jason OOO

3,567
2
25
31

is there any possibitity to put sanitize function in public_function, so the returned value can be 1 or 0 ? – user3297073 Apr 06 '14 at 21:52

score 0 · Answer 2 · answered Apr 06 '14 at 21:44

0

$username = addslashes($_POST['username']);

Maybe an idea to search for some info about SQL injections.

answered Apr 06 '14 at 21:44

Companjo

1,789
18
24

Yes it is safe enough. – Companjo Apr 06 '14 at 21:46
In many cases, calling `mysqli_escape_string` after sanitizing a variable is more than enough. Also, try and use a prepared statement or PDO instead of passing a variable directly into a query string. – Basit Apr 06 '14 at 21:47
is there any possibitity to put sanitize function in public_function, so the returned value can be 1 or 0 ? – user3297073 Apr 06 '14 at 21:54

Php username filter / validate

2 Answers2