PHP -Sanitize values of a array

Question

I have a array, which comes from $_POST[] and can have other arrays in it as values, like:

array(
 'title' => 'Title',
 'data' => array(
             'hdr' => 'Header'
             'bdy' => 'Body'
           ),
  'foo' => array(1, 23, 65),
  ...
)

How can I sanitize all values of this big array? for eg. apply a strip_tags() to values like Title, Header, Body, 1, 23, 65 etc ?

I hope you wont use this idea of sanitization for the SQL escaping — Your Common Sense, Feb 01 '11 at 10:26

score 67 · Answer 1 · answered Feb 01 '11 at 10:07

67

Just use the filter extension.

/* prevent XSS. */
$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

This will sanitize your $_GET and $_POST.

answered Feb 01 '11 at 10:07

Alfred

58,861
31
141
183

`FILTER_SANITIZE_STRING` has been deprecated in PHP 8.1 `FILTER_SANITIZE_FULL_SPECIAL_CHARS` is the closest replacement that's still valid. – alev Apr 06 '22 at 03:54

kieran · Accepted Answer · 2011-02-01T10:09:25.487

9

Have a look at array_map

<?php  
$a = array(
'title' => 'Title',
'data' => array(
    'hdr' => 'Header',
    'bdy' => 'Body'
    ),
'foo' => array(1, 23, 65)
);

$b = array_map("strip_tags", $a);
print_r($b);
?>

Update for 2D array:

function array_map_r( $func, $arr )
{
    $newArr = array();

    foreach( $arr as $key => $value )
    {
        $newArr[ $key ] = ( is_array( $value ) ? array_map_r( $func, $value ) : ( is_array($func) ? call_user_func_array($func, $value) : $func( $value ) ) );
    }

    return $newArr;
}

Usage:

$a = array(
'title' => 'Title',
'data' => array(
    'hdr' => 'Header',
    'bdy' => 'Body'
    ),
'foo' => array(1, 23, 65)
); 

$ar =array_map_r('strip_tags', $a);
print_r($ar);

Note I found this just by searching the comments for Dimension

edited Feb 01 '11 at 10:09

answered Feb 01 '11 at 09:52

kieran

2,321
4
26
44

But I get `Warning: strip_tags() expects parameter 1 to be string, array given`. I think it doesn't work for 2nd level+ arrays... – Alex Feb 01 '11 at 10:05
@Col. Shrapnel: Actually according to php.net array_walk_recursive() - `Any key that holds an array will not be passed to the function.` I was just testing out array_walk_recursive() behavior and its quite different than the solution above, plus array_walk_recursive() seems to be buggy too. – Zubair1 Apr 25 '11 at 20:07

score 3 · Answer 3 · answered Feb 01 '11 at 10:10

function strip($string, $allowed_tags = NULL)
{
    if (is_array($string))
    {
        foreach ($string as $k => $v)
        {
            $string[$k] = strip($v, $allowed_tags);
        }
        return $string;
    }

    return strip_tags($string, $allowed_tags);
}

Just an example of a recursive function, for stripping tags in this case.

$arr = strip($arr);

score 2 · Answer 4 · edited Apr 18 '20 at 11:56

2

This looks ok, but please comment if it can be improved or has any misgivings:

$_GET =filter_var_array($_GET);
$_POST=filter_var_array($_POST);

edited Apr 18 '20 at 11:56

colidyre

3,401
11
33
47

answered Apr 18 '20 at 07:12

Paris Z

21
1

score -2 · Answer 5 · answered Oct 01 '12 at 06:50

-2

Let's say we want to sanitize the $_POST array:

foreach($_POST as $k=>$v) {$_POST[$k] = htmlspecialchars($v);}

This simple. Isn't it?

answered Oct 01 '12 at 06:50

Marc Tremblay

7

1

1) this wouldn't work recursively, a key point in the question. 2) *never* sanitise values on the input end. Always sanitise them on the *output* end, as it is the output (be it to html, database, xml, json, etc) which defines the requirements. The above code runs a serious risk of leaving one open to SQL Injection attacks, for example. – Will Palmer Oct 01 '12 at 09:16
The question was not to sanitize for SQL injections. It was to strip the tags. I think it's better to use Prepared Statement for this purpose. The code I wrote dosen't strip the tags, it just rewrites those html special chars as [displayable format](http://webdesign.about.com/library/bl_htmlcodes.htm) format ex.: "&eacute". Of course you can replace htmlspecialchars by strip_tags. Depends on what you want to do! – Marc Tremblay Oct 01 '12 at 18:23
Prepared statements do indeed protect against SQL injection, but they are also a form of sanitising at the output, rather than the input. Never sanitise at the input, and certainly never do *both* :). The intended goal is to make things sane for output into HTML, not to break them for every other potential purpose. This code is what `magic_quotes_gpc` would look like if people cared more about XSS attacks than SQL injection. It is bad. Don't do it. Don't do anything similar to it. – Will Palmer Oct 01 '12 at 19:33

PHP -Sanitize values of a array

5 Answers5

Linked