0

I have stripped this code down for this question.

My users will be entering their shipping details through a form and I have attempted to sanitised the input. Everything works as expected in terms of successfully posting data. My question is more about good php practice.

$address_line1 = filter_var($_POST['address_line1'], FILTER_SANITIZE_STRING);
$address_line2 = filter_var($_POST['address_line2'], FILTER_SANITIZE_STRING);
$address_city = filter_var($_POST['address_city'], FILTER_SANITIZE_STRING);;
$address_state = filter_var($_POST['address_state'], FILTER_SANITIZE_STRING);
$address_country = filter_var($_POST['address_country'], FILTER_SANITIZE_STRING);
$address_zip = filter_var($_POST['address_zip'], FILTER_VALIDATE_INT);

I have googled and as I understand it, the filter_var() function will strip out any HTML tags in order to leave only a string for the text based inputs and an integer for the address_zip input.

Is this the correct method to filter out unwanted inputs and / or if there are further measures to consider for safe user inputting?

How can I test the filter_var() function?
Should I simple post something like <h1>Hello World</h1>?
Is that a sufficient test for input sanitization?

Your help is always appreciated.

Thanks, All

Moe

Moe-Joe
  • 1,012
  • 3
  • 15
  • 27
  • The question rather is.. where are you going to use it. If you're going to insert into a database, using prepared statements `filter_var()` is almost obsolete. – Xorifelse Feb 01 '17 at 01:22
  • @Xorifelse the info will be included in a mail() function to send to the info to my email. Why is filter_var() obsolete? – Moe-Joe Feb 01 '17 at 01:25
  • @Moe-Joe because prepared statement protect against sql injections – bassxzero Feb 01 '17 at 01:27
  • @bassxzero My website isn't displaying data from a sql database. Is protection against sql injections necessary? – Moe-Joe Feb 01 '17 at 01:35
  • 1
    @Moe-Joe i would do it. If filter_val does strip html tags and you're just sending html emails then you should be good – bassxzero Feb 01 '17 at 01:39
  • @Moe-Joe An sql injection can occur at the moment you query anything in the database, not at the moment your echoing out the results of the query because there is where the leak will occur. – Xorifelse Feb 01 '17 at 01:44
  • 1
    @Moe-Joe if you're not storing the data in a database then don't do it – bassxzero Feb 01 '17 at 01:46
  • Note that FILTER_SANITIZE_STRING is deprecated in PHP 8.1, and will cause errors. Use htmlspecialchars() . See https://stackoverflow.com/a/69207369/1466973 – Rick Hellewell Nov 21 '22 at 02:29

0 Answers0