PHP -Sanitize values of a array
42,442
Solution 1
Have a look at array_map
<?php
$a = array(
'title' => 'Title',
'data' => array(
'hdr' => 'Header',
'bdy' => 'Body'
),
'foo' => array(1, 23, 65)
);
$b = array_map("strip_tags", $a);
print_r($b);
?>
Update for 2D array:
function array_map_r( $func, $arr )
{
$newArr = array();
foreach( $arr as $key => $value )
{
$newArr[ $key ] = ( is_array( $value ) ? array_map_r( $func, $value ) : ( is_array($func) ? call_user_func_array($func, $value) : $func( $value ) ) );
}
return $newArr;
}
Usage:
$a = array(
'title' => 'Title',
'data' => array(
'hdr' => 'Header',
'bdy' => 'Body'
),
'foo' => array(1, 23, 65)
);
$ar =array_map_r('strip_tags', $a);
print_r($ar);
Note I found this just by searching the comments for Dimension
Solution 2
Just use the filter extension.
/* prevent XSS. */
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
This will sanitize your $_GET
and $_POST
.
Solution 3
function strip($string, $allowed_tags = NULL)
{
if (is_array($string))
{
foreach ($string as $k => $v)
{
$string[$k] = strip($v, $allowed_tags);
}
return $string;
}
return strip_tags($string, $allowed_tags);
}
Just an example of a recursive function, for stripping tags in this case.
$arr = strip($arr);
Solution 4
This looks ok, but please comment if it can be improved or has any misgivings:
$_GET =filter_var_array($_GET);
$_POST=filter_var_array($_POST);
Related videos on Youtube
Comments
-
Alex about 4 years
I have a array, which comes from
$_POST[]
and can have other arrays in it as values, like:array( 'title' => 'Title', 'data' => array( 'hdr' => 'Header' 'bdy' => 'Body' ), 'foo' => array(1, 23, 65), ... )
How can I sanitize all values of this big array? for eg. apply a
strip_tags()
to values like Title, Header, Body, 1, 23, 65 etc ?-
Your Common Sense about 13 yearsI hope you wont use this idea of sanitization for the SQL escaping
-
Alex about 13 yearsno, this is done before inserting this in SQL
-
-
Alex about 13 yearsBut I get
Warning: strip_tags() expects parameter 1 to be string, array given
. I think it doesn't work for 2nd level+ arrays... -
Zubair1 about 13 years@Col. Shrapnel: Actually according to php.net array_walk_recursive() -
Any key that holds an array will not be passed to the function.
I was just testing out array_walk_recursive() behavior and its quite different than the solution above, plus array_walk_recursive() seems to be buggy too. -
Will Palmer over 11 years1) this wouldn't work recursively, a key point in the question. 2) never sanitise values on the input end. Always sanitise them on the output end, as it is the output (be it to html, database, xml, json, etc) which defines the requirements. The above code runs a serious risk of leaving one open to SQL Injection attacks, for example.
-
Marc Tremblay over 11 yearsThe question was not to sanitize for SQL injections. It was to strip the tags. I think it's better to use Prepared Statement for this purpose. The code I wrote dosen't strip the tags, it just rewrites those html special chars as displayable format format ex.: "é". Of course you can replace htmlspecialchars by strip_tags. Depends on what you want to do!
-
Will Palmer over 11 yearsPrepared statements do indeed protect against SQL injection, but they are also a form of sanitising at the output, rather than the input. Never sanitise at the input, and certainly never do both :). The intended goal is to make things sane for output into HTML, not to break them for every other potential purpose. This code is what
magic_quotes_gpc
would look like if people cared more about XSS attacks than SQL injection. It is bad. Don't do it. Don't do anything similar to it. -
alev about 2 years
FILTER_SANITIZE_STRING
has been deprecated in PHP 8.1FILTER_SANITIZE_FULL_SPECIAL_CHARS
is the closest replacement that's still valid.