Home/ Questions/Q 8467261
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T15:35:28+00:00

I’m new to sanitizing input data, but we are starting to ramp up with

  • 0

I’m new to sanitizing input data, but we are starting to ramp up with number of clients very quickly, so we will need to have all user inputs sanitized, just in case, as it’s a best practice.

If I’ve got a form that posts 12 fields, what’s the best and least expensive way to sanitize it?

for simplicity’s sake let’s say I’ve got

$one = $_POST['one'];
$two = $_POST['two'];
$three = $_POST['three'];
$four = $_POST['four'];
$five = $_POST['five'];

EDIT:
right here – This is getting inserted into a database under metadata. I then call to

Then I’m just calling

printf('The input for One is ' .$theNewVarForOne. '!');

But there IS a potential for malicious code in there. What’s the best way to strip all iffy inputs?

EDIT:

I should have been more specific. I am basically creating some ‘post’ data that is stored in a database. A title, the date, the body, etc.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you are printing to the screen, then HTMLspecialchars should be fine:

    echo htmlspecialchars($_POST['one']);

    It converts any potential malicious javascript and HTML into characters like < so that it displays as text in your source code (meaning it cannot be executed) and to the user it looks like the original input displayed on the screen:

    <?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
?>

    If you are on the other hand inserting into a database, then you will need to do some extra work.

    When inserting into a database, you really need to use prepared statements (this will stop anyone doing anything funky with SQL to your database). I prefer to use PDO to make my connection.

    The code will look like this (snipped from the docs on prepare):

    <?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>
    • 0