发表新帖
发表新帖

what is a good method to sanitize the whole $_POST array in php?

后端 未结
关注
5 1144
广开言路
广开言路 2020-12-12 21:08

I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POST value with filter_var($_POST[\'var\'], FILTER_SAN

相关标签:
5条回答
  • 旧巷少年郎
    2020-12-12 21:25

    This is what I use in all my projects:

    function util_array_trim(array &$array, $filter = false)
{
    array_walk_recursive($array, function (&$value) use ($filter) {
        $value = trim($value);
        if ($filter) {
            $value = filter_var($value, FILTER_SANITIZE_STRING);
        }
    });

    return $array;
}

    It allows to trim and sanitize a nested array of posted data

    0 讨论(0)
  • 眼角桃花
    2020-12-12 21:29

    If the type of each of your input variables is a string and you want to sanitize them all at once, you can use:

    // prevent XSS
$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

    This will sanitize your $_GET and $_POST arrays.

    Seen here: PHP -Sanitize values of a array

    0 讨论(0)
  • 闹比i
    2020-12-12 21:32

    To apply specific filters on multiple fields, use a switch statement.

    $post  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

foreach($post as $k => $v) {
    switch ($k) {
        case 'int_1':
        case 'int_2':
            $post[$k] = filter_var($v, FILTER_SANITIZE_NUMBER_INT) * 1;
            break;
        case 'float_1':
        case 'float_2':
            $post[$k] = filter_var($v, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION) * 1;
            break;
        default:
            break;
    }
}

    Note: My IDE (NetBeans) warns about using global $_POST anywhere as a security violation, so I've just gotten into the habit of using a local $post variable instead. If you choose not to do the blanket string sanitation first, FILTER_SANITIZE_STRING could be used for the default: case.

    0 讨论(0)
  • 走了就别回头了
    2020-12-12 21:34

    There is no correct way to do blanket sanitation. What sanitation method you need depends on what is done to the data.

    Sanitize the data directly before it is used.

    0 讨论(0)
  • 梦谈多话
    2020-12-12 21:42

    Depends what its being used for.

    If you are inserting it into the database then mysql_real_escape_string() for quoted strings and type casting for numbers would be the way to go - well ideally prepared statements, but thats an entirely different matter.

    If you plan on outputting the data onto the webpage then I would recommend something like htmlspecialchars()

    If you plan on using the user input as a shell argument, then you would use escapeshellarg()

    Moving onto your question about sending emails. Well, the following should suffice:

    filter_var($_POST['message'], FILTER_SANITIZE_STRING);

    All this does is basically strip tags and encode special characters.

    0 讨论(0)
 看不清?
提交回复
热议问题