Form Sanitization

Form sanitization refers to the process of cleaning and validating user-submitted data from HTML forms to ensure that it is safe, accurate, and conforms to the expected format before processing it in your web application.

Filter_var() function

Filters a variable with a specified filter
Returns the filtered data, or false if the filter fails.

Sanitizing a String

<?php

//Use of filter_var()

$str = “<h1>Everything is awesome</h1>”;

$newstr = filter_var($str, FILTER_SANITIZE_STRING);

echo $newstr;

Sanitizing Email

<?php

$email = “midtermiscoming@gmail.co<m>”;

// Remove all illegal characters

// from email

$nemail = filter_var($email,

FILTER_SANITIZE_EMAIL);

echo $nemail;

Preventing html injection

<?php
$new = htmlspecialchars(“<a href=’test’>Test</a>”, ENT_QUOTES);
echo $new;
?>
Output=<a href='test'>Test</a>

vailable flags constants

Constant Name Description

ENT_COMPAT

ENT_QUOTES ENT_NOQUOTES

Will convert double-quotes and leave single-quotes alone.

Will convert both double and single quotes.

Will leave both double and single quotes unconverted.

ENT_IGNORE

ENT_SUBSTITUTE

ENT_DISALLOWED

ENT_HTML401 ENT_XML1 ENT_XHTML

ENT_HTML5

Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.

Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or � (otherwise) instead of returning an empty string.

Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or � (otherwise) instead of leaving them as is.

This may be useful, for instance, to ensure the well- formedness of XML documents with embedded external content.

Handle code as HTML 4.01.

Handle code as XML 1. Handle code as XHTML.

Handle code as HTML 5.

Sanitizing Int

<?php

$user_age =”23string@jdjdjdjd”;

$sanitized_age = filter_var($user_age, FILTER_SANITIZE_NUMBER_INT);

// Use $sanitized_age safely as an integer echo $sanitized_age;

Sanitizing URL

<?php

$url = “www.phpwillgetmeplacement.or°g”;

// Remove all illegal characters

// from a url

$nurl = filter_var($url,

FILTER_SANITIZE_URL);

echo $nurl;

“Love the life you live. Live the life you love”

Practical Question of the Day

Make a Form which takes Name, Email, Age and Users website as input from the user and perform validation and sanitization on the data in another file.

Let’s Make a form first

<!DOCTYPE html>

<html>

<head>

<title>Form Validation and Sanitization</title>

</head>

<body>

</form>

</body>

</html>

Now in a new file validation.php, let’s handle the data posted by form.

<?php

// Get the form data

$name = $_POST[‘name’];

$email = $_POST[’email’];

$age = $_POST[‘age’];

$website = $_POST[‘website’];

// Validate the name if (empty($name)) {

echo “Please enter your name.”;

} else {

$name = filter_var($name, FILTER_SANITIZE_STRING);

}

// Validate the email if (empty($email)) {

echo “Please enter your email address.”;

} else {

$email = filter_var($email, FILTER_SANITIZE_EMAIL); if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { echo “Invalid email address.”;

}

// Validate the age if (empty($age)) {

echo “Please enter your age.”;

} else {

$age = filter_var($age, FILTER_SANITIZE_NUMBER_INT); if ($age < 18 || $age > 100) {

echo “Age must be between 18 and 100.”;

}

// Validate the website if (empty($website)) {

echo “Please enter your website address.”;

} else {

$website = filter_var($website, FILTER_SANITIZE_URL);

}

// If the data is valid, echo it back to the user if ($name && $email && $age && $website) {

echo “Your name is $name. Your email address is $email. You are $age years old. Your website is $website.”;

}

Question 1: What is the primary purpose of form validation?

A) To make the form visually appealing
B) To ensure the data entered meets required criteria
C) To increase the loading speed of the form
D) To store data in a database

Question 1: What is the primary purpose of form validation?

A) To make the form visually appealing
B) To ensure the data entered meets required criteria
C) To increase the loading speed of the form
D) To store data in a database

Question 2: Which aspect of form validation involves verifying that the length or size of the input data falls within acceptable limits?

A) Data Type Validation
B) Required Field Validation
C) Length and Size Validation
D) Format Validation

Question 2: Which aspect of form validation involves verifying that the length or size of the input data falls within acceptable limits?

A) Data Type Validation
B) Required Field Validation
C) Length and Size Validation
D) Format Validation

Question 3: What is the purpose of the htmlspecialchars() function in PHP?

A) To execute JavaScript code
B) To convert special characters to HTML entities
C) To prevent CSRF attacks
D) To validate form input

Question 3: What is the purpose of the htmlspecialchars() function in PHP?

A) To execute JavaScript code
B) To convert special characters to HTML entities
C) To prevent CSRF attacks
D) To validate form input

Question 4: Which PHP superglobal variable returns the filename of the currently executing script?

A) $_REQUEST
B) $_GET
C) $_SERVER[“PHP_SELF”]
D) $GLOBALS

Question 4: Which PHP superglobal variable returns the filename of the currently executing script?

A) $_REQUEST
B) $_GET
C) $_SERVER[“PHP_SELF”]
D) $GLOBALS

Question 5: What does the preg_match() function do in PHP?

A) Converts HTML characters to special characters
B) Searches for a pattern in a string and returns true if found
C) Validates email addresses
D) Handles cross-site scripting attacks

Question 5: What does the preg_match() function do in PHP?

A) Converts HTML characters to special characters
B) Searches for a pattern in a string and returns true if found
C) Validates email addresses
D) Handles cross-site scripting attacks

[pdf_note link=”https://drive.google.com/file/d/1foM-6LoR7OpMUo7sTtcR32jCO25HJhpO/view”]

INT220 – Form Sanitization – B.TECH (CSE) LPU Notes

Editorial Staff

Form Sanitization

Sanitizing a String

Sanitizing Email

Preventing html injection

Sanitizing Int

Sanitizing URL

Practical Question of the Day

Let’s Make a form first

Question 1: What is the primary purpose of form validation?

Question 1: What is the primary purpose of form validation?

Question 2: Which aspect of form validation involves verifying that the length or size of the input data falls within acceptable limits?

Question 2: Which aspect of form validation involves verifying that the length or size of the input data falls within acceptable limits?

Question 3: What is the purpose of the htmlspecialchars() function in PHP?

Question 3: What is the purpose of the htmlspecialchars() function in PHP?

Question 4: Which PHP superglobal variable returns the filename of the currently executing script?

Question 4: Which PHP superglobal variable returns the filename of the currently executing script?

Question 5: What does the preg_match() function do in PHP?

Question 5: What does the preg_match() function do in PHP?