PHP -Sanitize values of a array
42,442
Solution 1
Have a look at array_map
<?php
$a = array(
'title' => 'Title',
'data' => array(
'hdr' => 'Header',
'bdy' => 'Body'
),
'foo' => array(1, 23, 65)
);
$b = array_map("strip_tags", $a);
print_r($b);
?>
Update for 2D array:
function array_map_r( $func, $arr )
{
$newArr = array();
foreach( $arr as $key => $value )
{
$newArr[ $key ] = ( is_array( $value ) ? array_map_r( $func, $value ) : ( is_array($func) ? call_user_func_array($func, $value) : $func( $value ) ) );
}
return $newArr;
}
Usage:
$a = array(
'title' => 'Title',
'data' => array(
'hdr' => 'Header',
'bdy' => 'Body'
),
'foo' => array(1, 23, 65)
);
$ar =array_map_r('strip_tags', $a);
print_r($ar);
Note I found this just by searching the comments for Dimension
Solution 2
Just use the filter extension.
/* prevent XSS. */
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
This will sanitize your $_GET and $_POST.
Solution 3
function strip($string, $allowed_tags = NULL)
{
if (is_array($string))
{
foreach ($string as $k => $v)
{
$string[$k] = strip($v, $allowed_tags);
}
return $string;
}
return strip_tags($string, $allowed_tags);
}
Just an example of a recursive function, for stripping tags in this case.
$arr = strip($arr);
Solution 4
This looks ok, but please comment if it can be improved or has any misgivings:
$_GET =filter_var_array($_GET);
$_POST=filter_var_array($_POST);
Related videos on Youtube
05 : 12
49: What are associative arrays in PHP - PHP tutorial
16 : 52
PHP Array Data Type - Indexed, Associative & Multi-Dimensional Arrays - Full PHP 8 Tutorial
05 : 57
Array Count Values | PHP Array Function
28 : 45
#1 Index array | Associative array | Multi dimensional array in php tamil | how to print array php
01 : 37
How to print or echo all the values of an array in PHP
10 : 10
notice trying to access array offset on value of type null in
09 : 30
PHP Logical Programming Question 1: find the smallest value in an array in PHP?
09 : 53
print php array values
04 : 50
46: Insert data into array in PHP - PHP tutorial
08 : 09
28 - PHP Array Function - Add Multiple Values, Modify - Delete Values
09 : 47
11: How to replace values a PHP array - PHP 7 tutorial
07 : 30
PHP - Sort Array by Value
Comments
-
Alex about 4 years
I have a array, which comes from
$_POST[]and can have other arrays in it as values, like:array( 'title' => 'Title', 'data' => array( 'hdr' => 'Header' 'bdy' => 'Body' ), 'foo' => array(1, 23, 65), ... )How can I sanitize all values of this big array? for eg. apply a
strip_tags()to values like Title, Header, Body, 1, 23, 65 etc ?-
Your Common Sense about 13 yearsI hope you wont use this idea of sanitization for the SQL escaping -
Alex about 13 yearsno, this is done before inserting this in SQL
-
-
Alex about 13 yearsBut I get
Warning: strip_tags() expects parameter 1 to be string, array given. I think it doesn't work for 2nd level+ arrays... -
Zubair1 about 13 years@Col. Shrapnel: Actually according to php.net array_walk_recursive() -
Any key that holds an array will not be passed to the function.I was just testing out array_walk_recursive() behavior and its quite different than the solution above, plus array_walk_recursive() seems to be buggy too. -
Will Palmer over 11 years1) this wouldn't work recursively, a key point in the question. 2) never sanitise values on the input end. Always sanitise them on the output end, as it is the output (be it to html, database, xml, json, etc) which defines the requirements. The above code runs a serious risk of leaving one open to SQL Injection attacks, for example.
-
Marc Tremblay over 11 yearsThe question was not to sanitize for SQL injections. It was to strip the tags. I think it's better to use Prepared Statement for this purpose. The code I wrote dosen't strip the tags, it just rewrites those html special chars as displayable format format ex.: "é". Of course you can replace htmlspecialchars by strip_tags. Depends on what you want to do!
-
Will Palmer over 11 yearsPrepared statements do indeed protect against SQL injection, but they are also a form of sanitising at the output, rather than the input. Never sanitise at the input, and certainly never do both :). The intended goal is to make things sane for output into HTML, not to break them for every other potential purpose. This code is what
magic_quotes_gpcwould look like if people cared more about XSS attacks than SQL injection. It is bad. Don't do it. Don't do anything similar to it. -
alev about 2 yearsFILTER_SANITIZE_STRINGhas been deprecated in PHP 8.1FILTER_SANITIZE_FULL_SPECIAL_CHARSis the closest replacement that's still valid.
