Stack Overflow
Stack Overflow

Questions tagged [sanitization]

Data sanitization to prevent code injection

Data santization is used to prevent code injection problems, by secure input and output handling, such as:

  1. Input validation
  2. Selective input inclusion/exclusion
  3. Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars() function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags() function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string() to isolate data which will be included in an SQL request, to protect against SQL Injection.
  4. Input encoding
  5. Output encoding
  6. Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
  7. Modular shell disassociation from kernel
1083 questions
175
votes
14 answers

What are the best PHP input sanitizing functions?

I am trying to come up with a function that I can pass all my strings through to sanitize. So that the string that comes out of it will be safe for database insertion. But there are so many filtering functions out there I am not sure which ones I…
Lauren
  • 1,767
  • 3
  • 11
  • 3
159
votes
4 answers

Remove all non-numeric characters from a string; [^0-9] doesn't match as expected

I'm trying to remove everything from a string but just numbers (0-9). I thought this would work.. echo preg_replace("[^0-9]","",'604-619-5135'); But it echos "604-619-5135". What am I missing???
jeffkee
  • 5,106
  • 12
  • 44
  • 76
157
votes
19 answers

string sanitizer for filename

I'm looking for a php function that will sanitize a string and make it ready to use for a filename. Anyone know of a handy one? ( I could write one, but I'm worried that I'll overlook a character! ) Edit: for saving files on a Windows NTFS…
user151841
  • 17,377
  • 29
  • 109
  • 171
154
votes
19 answers

Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?

I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I'm wondering what is wrong with taking user input and escaping any single quotes and surrounding the whole string…
Patrick
  • 5,970
  • 4
  • 24
  • 21
141
votes
23 answers

Sanitizing strings to make them URL and filename safe?

I am trying to come up with a function that does a good job of sanitizing certain strings so that they are safe to use in the URL (like a post slug) and also safe to use as file names. For example, when someone uploads a file I want to make sure…
Xeoncross
  • 55,620
  • 80
  • 262
  • 364
94
votes
14 answers

How to escape strings in SQL Server using PHP?

I'm looking for the alternative of mysql_real_escape_string() for SQL Server. Is addslashes() my best option or there is another alternative function that can be used? An alternative for mysql_error() would also be useful.
Ali
  • 261,656
  • 265
  • 575
  • 769
88
votes
7 answers

angularjs newline filter with no other html

I'm trying to convert newline characters (\n) to html br's. As per this discussion in the Google Group, here's what I've got: myApp.filter('newlines', function () { return function(text) { return text.replace(/\n/g, '
'); …
MegaHit
  • 2,614
  • 4
  • 24
  • 27
86
votes
6 answers

How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?

To start this off, I am well aware that parameterized queries are the best option, but I am asking what makes the strategy I present below vulnerable. People insist the below solution doesn't work, so I am look for an example of why it wouldn't. If…
GBleaney
  • 2,096
  • 2
  • 22
  • 40
75
votes
7 answers

Sanitizing user input before adding it to the DOM in Javascript

I'm writing the JS for a chat application I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not even attempt it, but I…
I GIVE TERRIBLE ADVICE
  • 9,578
  • 2
  • 32
  • 40
73
votes
5 answers

Constant FILTER_SANITIZE_STRING is deprecated

I have installed PHP 8.1 and I started testing my old project. I have used the filter FILTER_SANITIZE_STRING like so: $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING); Now I get this error: Deprecated: Constant…
Dharman
  • 30,962
  • 25
  • 85
  • 135
71
votes
8 answers

Dealing with line Breaks on contentEditable DIV

I have a problem with contenteditable line breaks on SAFARI/CHROME. When I press "return" on a contentEditable
, instead of creating a
(like Firefox), they create a new
:
Something
Something
That looks like (on…
Santiago
  • 2,405
  • 6
  • 31
  • 43
67
votes
14 answers

When is it best to sanitize user input?

User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you…
Aaron
  • 23,450
  • 10
  • 49
  • 48
55
votes
2 answers

What does FILTER_SANITIZE_STRING do?

There's like a million Q&A that explain the options like FILTER_FLAG_STRIP_LOW, but what does FILTER_SANITIZE_STRING do on its own, without any options? Does it just filter tags?
user1322720
53
votes
5 answers

In a bash script, how do I sanitize user input?

I'm looking for the best way to take a simple input: echo -n "Enter a string here: " read -e STRING and clean it up by removing non-alphanumeric characters, lower(case), and replacing spaces with underscores. Does order matter? Is tr the best /…
Devin Reams
  • 972
  • 1
  • 7
  • 15
47
votes
5 answers

How to sanitize sql fragment in Rails

I have to sanitize a part of sql query. I can do something like this: class << ActiveRecord::Base public :sanitize_sql end str = ActiveRecord::Base.sanitize_sql(["AND column1 = ?", "two's"], '') But it is not safe because I expose protected…
dimus
  • 8,712
  • 10
  • 45
  • 56
1
2 3
72 73