0

After googling I have seen some comments that php's function filter_var($var, FILTER_STRING); is unreliable or doesn't do much. Reference: What does FILTER_SANITIZE_STRING do? See the last comment by Álvaro González.

If this is so, suppose I use regex for my filter for the data that I want from user input and insert the data always using prepared statements, isn't that the safest way to accept user input? My reasoning is that using regex, I will always only get the type of data that I want every time.

Look at this script:

    <?php

$string = "Th*()is 999 is <<>> a ~!@# sample st#$%ring.";
$res = preg_replace("/[^a-zA-Z]/", "", $string);
echo $res;

?>

Output Thisisasamplestring

How could an attacker get around that? We are talking about sql inject attacks etc.

Community
  • 1
  • 1
Dre_Dre
  • 745
  • 2
  • 6
  • 15
  • 1
    There is no need to use regex with prepared statements unless there is something you wish to eliminate from your data. – Jay Blanchard Dec 29 '16 at 15:25
  • Possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174/1415724) – Funk Forty Niner Dec 29 '16 at 15:28
  • @JayBlanchard are you saying I am not supposed to filter user input from a form, just because we are using prepared sql statements? – Dre_Dre Dec 29 '16 at 15:29
  • @Fred-ii- This is related to: http://stackoverflow.com/q/60174/1415724 but is not the same thing. I am simply asking if using regex is the safest way to prevent unwanted user input. Then on top of that we use prepared sql statements for proper escaping. – Dre_Dre Dec 29 '16 at 15:40
  • You can filter if you want to, you just want to be clear on what you're filtering and why you're filtering. Prepared statements make input SQL safe, while you're using regex to modify the input. [Consider what would happen if you did that on passwords.](http://stackoverflow.com/questions/36628418/cleansing-user-passwords) – Jay Blanchard Dec 29 '16 at 16:38

0 Answers0