0

I'm new to Laravel 7 and wondering if there's an out-of-the-box, elegant solution to sanitizing HTML form inputs? Or maybe a trusted third-party package I can download that you recommend? This is for data I will store in a database. Thanks for any help.

GTS Joe
  • 3,612
  • 12
  • 52
  • 94

2 Answers2

1

One recommended out-of-the-box way of sanitizing data is using the filter_var function that comes with PHP in conjunction with the different sanitize filters. By the way, this is also a cool way to validate input, take a look at the types of filters to find out more.

When working in Laravel projects, I like to use voku/portable-ascii library, because it's already a framework dependency. It is a nice assortment of functions to clean input, remove non-printable characters, and to generally transform any input into ASCII, complete with transliteration and whatnot. It's not always perfect, but usually good enough and gets the job done.

It always depends on what you want to sanitize, how, and why. In many situations you do not need to sanitize the input at all if you stick to the best practices. When working with Eloquent or the Query Builder, your data is automatically escaped and on retrieval, when you output it e.g. via {{ $data }}, they will be properly escaped too.

There are some situations where you should be more cautious, especially if you are handling the raw user input yourself and probably passing it to the system in command line parameters, filenames or such. In those cases it is usually a good idea to be as restrictive as possible and as permissive as necessary. Sometimes a good old preg_replace('/[^0-9A-Z_-]/i', '', $subject) is just the right choice. If you want to be as permissive as possible, give the suggestions above a try.

Lupinity Labs
  • 2,099
  • 1
  • 15
  • 23
  • I should've stated this in my question. The data I need to sanitize is quite standard: Name, email address, phone number and a checkbox. That's it! :-) – GTS Joe Aug 26 '20 at 01:29
  • The PHP filter_var function you mentioned looks cool, and it does do emails, but U.S. phone numbers are oddly omitted. – GTS Joe Aug 26 '20 at 01:40
  • The sanitize filters will take care of the email sanitizing for you. Names don't really need to be sanitized usually, unless you want to strip out annoying icons, RTL characters and such. Phone numbers... well, do you really want sanitizing or validation here? Sanitizing is easy: `preg_replace('/[^0-9\(\)\- ]/', '', $number)` should take care of most of it. You can also use HTML5 form validation in addition, see https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/email or tel etc. For validation take a look at https://laravel.com/docs/7.x/validation. – Lupinity Labs Aug 26 '20 at 01:44
  • It is not odd that U.S. phone numbers are omitted. Don't confuse sanitizing with validation. To do plausibility checks on phone numbers, you would need rulesets or even databases that are very specific from country to country. If you need very basic validation, regex is your friend. There are already hundreds of answers on that topic, like https://stackoverflow.com/questions/9776231/regular-expression-to-validate-us-phone-numbers – Lupinity Labs Aug 26 '20 at 01:47
0

I was just wondering if there was some good package to deal with sanitization using Laravel Framework and found this:

https://github.com/elegantweb/sanitizer

Worked like a charm and has support to Laravel 10.
Enjoy!

Nowdeen
  • 1,401
  • 14
  • 20