6

Can someone recommend an up to date library for data Sanitization in PHP ?

I am looking for a library that proposes a set of functions for data sanitization. Email validation/sanitization (remove those %0A, \r...), strip htlm (stripslashes(htmlentities), remove script, SQL injection … any form of exploit related to data submitted by users.

CakePHP sanitization class (not the "framework") looks nice.. ?

  • Please define "data sanitization". Are you wanting to remove html entities, just potential xss attacks, or sql injection attacks? – rick May 08 '09 at 20:00

6 Answers6

6

Check out PHP Filter

MichaelICE
  • 9,837
  • 19
  • 67
  • 106
1

Zend Filter, Zend Filter Input and Zend_Validate

karim79
  • 334,458
  • 66
  • 409
  • 405
1
$firstName = $_POST['fname'];
$new_string = filter_var($firstName, FILTER_SANITIZE_STRING);
echo $new_string;
Marvin Pinto
  • 28,922
  • 7
  • 36
  • 53
vivek salve
  • 11
  • 1
0

CakePHP is a framework, not a sanitation library.

It's probably easier to just write your own sanitization functions.

Joe Phillips
  • 47,092
  • 28
  • 100
  • 152
0

There is no such thing as data sanitization. Data isn't dangerous on it self - it's the context in which it's used, that makes it safe or unsafe. That means that it is pointless to try and validate/sanitize data on entry. Instead, your should escape it properly on output. See also my answer here.

Community
  • 1
  • 1
troelskn
  • 111,113
  • 23
  • 130
  • 153
  • If you need to allow markup in input, but you don't want xss attacks, then it's not "pointless" to validate/sanitize data on entry. Why would you store dangerous input? – rick May 08 '09 at 19:58
  • I consider that an edge case and I'd use HtmlPurifier for that. – troelskn May 08 '09 at 21:59
0

For filtering out xss attacks when you need to preserve html markup: htmlpurifier

If you don't need to keep html markup, you can use htmlspecialchars or htmlentities

rick
  • 1,529
  • 10
  • 12