0

I've just updated my PHP version from 8.0.26 to 8.2.0 and I know have to deal with the deprecated FILTER_SANITIZE_STRING constant. I was using it this way to filter some text inputs in a form in order to protect a website from SQL injections. :

$text_input_value = filter_var($_POST['a_text_input'], FILTER_SANITIZE_STRING);

I know it'll still work for a while yet, but I don't like at all to use deprecated code. And yet I just heard that FILTER_SANITIZE_STRING determined an unclear purpose and the PHP community decided that his filter shouldn't be supported anymore.

I can't find any solution on the Internet as everyone seemed to use the FILTER_SANITIZE_STRING for something else than protecting against SQL injections. They seemed to rather use it to protect against XSS attacks.

So, my question is, what should I use now to replace this filter/sanitize my inputs from any SQL injection ? Feel free to tell me if I was using a wrong way to sanitize my inputs. (I'm also using prepared SQL statement into my PHP script, but I'm not sure if it's enough to secure against SQL injections, or if inputs sanitizing is also necessary.)

Nyusuka C037
  • 1
  • 3
  • 4
    See [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). FILTER_SANITIZE_STRING never had anything to do with SQL injection - it's unclear how you got that idea. It can help with XSS prevention, but is replaced by htmlspecialchars(), as per the [documentation](https://www.php.net/manual/en/filter.filters.sanitize.php) – ADyson May 31 '23 at 20:12
  • So, how should I sanitize my text inputs to prevent SQL injections, please ? Unless it's useless as I use prepared SQL statement. Feel free to tell me if so. – Nyusuka C037 May 31 '23 at 20:15
  • Read the accepted answer at that link (or in many other places online). Use parameterised prepared statements to prevent SQL injection. That's all you need to do. – ADyson May 31 '23 at 20:17
  • So if I understand correctly, I just don't need to sanitize my inputs as I use prepared SQL statements. Well, thanks for your help, have a nice day (or night, I don't know). – Nyusuka C037 May 31 '23 at 20:23
  • `I just don't need to sanitize my inputs as I use prepared SQL statements`...as long as you use parameters with them too, then that's correct, yes. You should also sanitise _output_ of user-generated data using `htmlspecialchars()` whenever you output that data into a HTML document, for XSS prevention. – ADyson May 31 '23 at 21:01
  • 1
    In fact, if you use query parameters, you _must not_ sanitize input values, because the backslashes or whatever is used to "sanitize" will become part of the string value. – Bill Karwin May 31 '23 at 21:50

0 Answers0