PHP sanitize() Input Function (original) (raw)

Summary: in this tutorial, you’ll learn to develop a reusable PHP sanitize() function to sanitize inputs.

Introduction to sanitizing input #

Before processing data from untrusted sources such as HTTP post or get request, you should always sanitize it first.

Sanitizing input means removing illegal characters using deleting, replacing, encoding, or escaping techniques.

PHP provides a list of sanitizing filters that you can use to sanitize input effectively. The following functions use these filters to sanitize the input:

filter_input()
filter_var()
filter_input_array()
filter_var_array()

In this tutorial, we’ll create a reusable sanitize() function that sanitizes the inputs in a more expressive way.

Define the sanitize() function #

Suppose you have the following fields in the $_POST variable and want to sanitize them:

name
email
age
weight
homepage

To do that, you can define a sanitize() function and call it as follows:

$data = santize($_POST, $fields);Code language: PHP (php)

The sanitize() function should look like this:

The function has two parameters:

The $inputs parameter is an associative array. It can be $_POST, $_GET, or a regular associative array.
The $fields parameter is an array that specifies a list of fields with rules.

The sanitize() function returns an array that contains the sanitized data.

The$fields should be an associative array in which the key is the field name and value is the rule for that field. For example:

$fields = [ 'name' => 'string', 'email' => 'email', 'age' => 'int', 'weight' => 'float', 'github' => 'url', 'hobbies' => 'string[]' ];Code language: PHP (php)

Note that the string[] means an array of strings.

To sanitize these fields:

First, iterate over the $fields and use the corresponding filter for each. For example, if the rule is string, the filter will be FILTER_SANITIZE_STRING.
Second, sanitize the field using the filter.

To get a filter based on the rule of a field, you can define a mapping between the rules with the filters like this:

const FILTERS = [ 'string' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, 'string[]' => [ 'filter' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, 'flags' => FILTER_REQUIRE_ARRAY ], 'email' => FILTER_SANITIZE_EMAIL, 'int' => [ 'filter' => FILTER_SANITIZE_NUMBER_INT, 'flags' => FILTER_REQUIRE_SCALAR ], 'int[]' => [ 'filter' => FILTER_SANITIZE_NUMBER_INT, 'flags' => FILTER_REQUIRE_ARRAY ], 'float' => [ 'filter' => FILTER_SANITIZE_NUMBER_FLOAT, 'flags' => FILTER_FLAG_ALLOW_FRACTION ], 'float[]' => [ 'filter' => FILTER_SANITIZE_NUMBER_FLOAT, 'flags' => FILTER_REQUIRE_ARRAY ], 'url' => FILTER_SANITIZE_URL, ];Code language: PHP (php)

For example, the following returns the filter of the string rule:

FILTER['string']Code language: PHP (php)

To sanitize multiple fields at a time, you can use the filter_var_array() function:

filter_var_array($inputs, $options)Code language: PHP (php)

The first parameter of the filter_var_array() function is an array of variables to filter. And the second parameter is an array of filters. For example, it should look like this:

$options = [ 'name' => FILTER_SANITIZE_FULL_SPECIAL_CHARS, 'email' => FILTER_SANITIZE_EMAIL, 'age' => [ 'filter' => FILTER_SANITIZE_NUMBER_INT, 'flags' => FILTER_REQUIRE_SCALAR ], 'weight' => [ 'filter' => FILTER_SANITIZE_NUMBER_FLOAT, 'flags' => FILTER_FLAG_ALLOW_FRACTION ], 'github' => FILTER_SANITIZE_URL, ];Code language: PHP (php)

So you need to return this $options from the $fields and FILTERS arrays. To do that, you can use the array_map() function like this:

<math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>o</mi><mi>p</mi><mi>t</mi><mi>i</mi><mi>o</mi><mi>n</mi><mi>s</mi><mo>=</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><msub><mi>y</mi><mi>m</mi></msub><mi>a</mi><mi>p</mi><mo stretchy="false">(</mo><mi>f</mi><mi>n</mi><mo stretchy="false">(</mo></mrow><annotation encoding="application/x-tex">options = array_map(fn(</annotation></semantics></math>options=arraymap(fn(field) => FILTERS[$field], $fields);Code language: PHP (php)

The following shows the sanitize() function:

function sanitize(array <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>i</mi><mi>n</mi><mi>p</mi><mi>u</mi><mi>t</mi><mi>s</mi><mo separator="true">,</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><mi>y</mi></mrow><annotation encoding="application/x-tex">inputs, array </annotation></semantics></math>inputs,arrayfields): array { <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>o</mi><mi>p</mi><mi>t</mi><mi>i</mi><mi>o</mi><mi>n</mi><mi>s</mi><mo>=</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><msub><mi>y</mi><mi>m</mi></msub><mi>a</mi><mi>p</mi><mo stretchy="false">(</mo><mi>f</mi><mi>n</mi><mo stretchy="false">(</mo></mrow><annotation encoding="application/x-tex">options = array_map(fn(</annotation></semantics></math>options=arraymap(fn(field) => FILTERS[$field], $fields); return filter_var_array($inputs, $options); }Code language: PHP (php)

Make the sanitize() function more flexible #

The sanitize() function uses the FILTERS constant. To make it more flexible, you can add a parameter and set its default value to the FILTERS constant like this:

function sanitize(array <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>i</mi><mi>n</mi><mi>p</mi><mi>u</mi><mi>t</mi><mi>s</mi><mo separator="true">,</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><mi>y</mi></mrow><annotation encoding="application/x-tex">inputs, array </annotation></semantics></math>inputs,arrayfields, array $filters = FILTERS): array { <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>o</mi><mi>p</mi><mi>t</mi><mi>i</mi><mi>o</mi><mi>n</mi><mi>s</mi><mo>=</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><msub><mi>y</mi><mi>m</mi></msub><mi>a</mi><mi>p</mi><mo stretchy="false">(</mo><mi>f</mi><mi>n</mi><mo stretchy="false">(</mo></mrow><annotation encoding="application/x-tex">options = array_map(fn(</annotation></semantics></math>options=arraymap(fn(field) => <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>f</mi><mi>i</mi><mi>l</mi><mi>t</mi><mi>e</mi><mi>r</mi><mi>s</mi><mo stretchy="false">[</mo></mrow><annotation encoding="application/x-tex">filters[</annotation></semantics></math>filters[field], $fields); return filter_var_array($inputs, $options); }Code language: PHP (php)

Also, you may want to sanitize the fields in the $inputs using one filter e.g., FILTER_SANITIZE_STRING.

To do that, you can:

First, make the $fields parameter optional and set its default value to an empty array [].
Second, add a default filter parameter.
Third, if the $filters array is empty, use the default filter.

The sanitize() function will look like the following:

`function sanitize(array inputs,arrayinputs, array inputs,arrayfields = [], int defaultfilter=FILTERSANITIZEFULLSPECIALCHARS,arraydefault_filter = FILTER_SANITIZE_FULL_SPECIAL_CHARS, array defaultfilter=FILTERSANITIZEFULLSPECIALCHARS,arrayfilters = FILTERS): array { if ($fields) { options=arraymap(fn(options = array_map(fn(options=arraymap(fn(field) => filters[filters[filters[field], $fields); return filter_var_array($inputs, $options); }

return filter_var_array($inputs, $default_filter);

}`Code language: PHP (php)

Remove whitespaces of strings #

To remove the whitespaces of a string, you use the trim() function. And to remove the whitespaces of an array of strings, you use the array_map() function with the trim() function:

$trimmed_data = array_map('trim', $inputs);Code language: PHP (php)

However, the $inputs may contain items that are not strings. To trim the string item only, you can use is_string() function to check if the item is a string before trimming it:

$trimmed_data = array_map(function ($item) { if (is_string($item)) { return trim($item); } return $item; }, $inputs);Code language: PHP (php)

The $inputs may contain an item that is an array of strings. For example:

$inputs = [ ... 'hobbies' => [ ' Reading', 'Running ', ' Programming ' ] ]Code language: PHP (php)

To trim the strings in the hobbies item, you need to use a recursive function:

function array_trim(array $items): array { return array_map(function ($item) { if (is_string($item)) { return trim($item); } elseif (is_array($item)) { return array_trim($item); } else return $item; }, $items); }Code language: PHP (php)

Call array_trim() from the sanitize() function #

To call the array_trim() function from the sanitize() function:

First, add a new parameter called $trim to the sanitize() function and set its default value to true.
Second, call the array_trim() if the $trim parameter is true.

The following shows the updated sanitize() function:

`function sanitize(array inputs,arrayinputs, array inputs,arrayfields = [], int defaultfilter=FILTERSANITIZEFULLSPECIALCHARS,arraydefault_filter = FILTER_SANITIZE_FULL_SPECIAL_CHARS, array defaultfilter=FILTERSANITIZEFULLSPECIALCHARS,arrayfilters = FILTERS, bool $trim = true): array { if ($fields) { options=arraymap(fn(options = array_map(fn(options=arraymap(fn(field) => filters[filters[filters[field], $fields); data=filtervararray(data = filter_var_array(data=filtervararray(inputs, $options); } else { data=filtervararray(data = filter_var_array(data=filtervararray(inputs, $default_filter); }

return <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>t</mi><mi>r</mi><mi>i</mi><mi>m</mi><mo stretchy="false">?</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><msub><mi>y</mi><mi>t</mi></msub><mi>r</mi><mi>i</mi><mi>m</mi><mo stretchy="false">(</mo></mrow><annotation encoding="application/x-tex">trim ? array_trim(</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord mathnormal">t</span><span class="mord mathnormal" style="margin-right:0.02778em;">r</span><span class="mord mathnormal">im</span><span class="mclose">?</span><span class="mord mathnormal">a</span><span class="mord mathnormal" style="margin-right:0.02778em;">rr</span><span class="mord mathnormal">a</span><span class="mord"><span class="mord mathnormal" style="margin-right:0.03588em;">y</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.2806em;"><span style="top:-2.55em;margin-left:-0.0359em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">t</span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord mathnormal" style="margin-right:0.02778em;">r</span><span class="mord mathnormal">im</span><span class="mopen">(</span></span></span></span>data) : $data;

}`Code language: PHP (php)

Put it all together #

The following shows the complete sanitization.php file with FILTERS, array_trim(), and sanitize() functions:

`<?php

/**

Recursively trim strings in an array
@param array $items
@return array */ function array_trim(array $items): array { return array_map(function ($item) { if (is_string($item)) { return trim($item); } elseif (is_array($item)) { return array_trim($item); } else return $item; }, $items); }

/**

Sanitize the inputs based on the rules an optionally trim the string
@param array $inputs
@param array $fields
@param int $default_filter FILTER_SANITIZE_FULL_SPECIAL_CHARS
@param array $filters FILTERS
@param bool $trim
@return array */ function sanitize(array inputs,arrayinputs, array inputs,arrayfields = [], int defaultfilter=FILTERSANITIZEFULLSPECIALCHARS,arraydefault_filter = FILTER_SANITIZE_FULL_SPECIAL_CHARS, array defaultfilter=FILTERSANITIZEFULLSPECIALCHARS,arrayfilters = FILTERS, bool $trim = true): array { if ($fields) { options=arraymap(fn(options = array_map(fn(options=arraymap(fn(field) => filters[filters[filters[field], $fields); data=filtervararray(data = filter_var_array(data=filtervararray(inputs, $options); } else { data=filtervararray(data = filter_var_array(data=filtervararray(inputs, $default_filter); }

return trim?arraytrim(trim ? array_trim(trim?arraytrim(data) : $data;

}`Code language: PHP (php)

Use the sanitize() function #

The following shows how to use the sanitize() function to sanitize data in the $input using the sanitization rules specified in the $fields:

`<?php

require DIR . '/sanitization.php';

$inputs = [ 'name' => 'joe