-1

A simple question, PHP 8.x from now not supporting FILTER_SANITIZE_STRING,

'FILTER_SANITIZE_STRING' is deprecated.

Should i replace it with:

htmlspecialchars() // Already by default charset UTF-8

What i need:

  • protect from XSS, where FILTER_SANITIZE_STRING removing <in between>.
  • It's ok if client signed up with <script>....(anyName)</script> and get his name only without telling him. (Already filtered with JS but if he ignored that).

Example:

<?php
$name = htmlspecialchars($_POST['userInput']);
$stmt = $pdo->prepare("INSERT INTO ......... VALUES (:zname)");
$stmt->execute([
   ":zname" => $name
]);

Will be safe to use this example instead of filter_var($_POST['userInput'], FILTER_SANITIZE_STRING); ?

Thank you.

obeid salem
  • 129
  • 2
  • 13
  • 1
    You only need to protect from XSS when you *display* user input on a web page. You can prevent XSS by wrapping user input with `htmlspecialchars()`. Your SQL code uses parameterized queries, and should be safe from XSS, even if you store ` – kmoser Apr 23 '22 at 22:18
  • 1
    `FILTER_SANITIZE_STRING` striped tags so a closer replacement would be `strip_tags` . `htmlspecialchars` is closer to `FILTER_SANITIZE_FULL_SPECIAL_CHARS` . In the end if you use any of these then it is a good step towards protecting yourself from xss – apokryfos Apr 23 '22 at 22:31
  • @kmoser Thank you for the kink, i'm already using UTF-8. – obeid salem Apr 23 '22 at 23:19

1 Answers1

0

htmlspecialchars is for HTML.

PDO needs to escape characters in a different way. Let $pdo->prepare(...) take care of things for you.

Note: That advice will leave UTF-8 characters in the database (which is appropriate) instead of things that look like &foobar; (which works turns into the foobar character in HTML, but is otherwise a string of ascii characters).

I think that gets rid of your clean function.

Meanwhile, all connections, all columns, etc, should be set to utf8mb4 (MySQL's term for UTF-8).

Rick James
  • 135,179
  • 13
  • 127
  • 222