What are some good PHP html (input) sanitizers?
Preferably, if something is built in - I'd like to us that.
UPDATE:
Per the request, via comments, input should not allow HTML (and obviously prevent XSS & SQL Injection, etc).
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
html purifier -> http://htmlpurifier.org/
回答2:
I've always used PHP's addslashes() and stripslashes() functions, but I also just saw the built-in filter_var() function (link). Looks like there are quite a few built-in filters.
回答3:
If you want to run a query that use let's say $_GET['user'] a nice solution would be to do something like this using mysql_real_escape_string():
<?php
$user = mysql_real_escape_string($_GET['user']);
$SQL = "SELECT * FROM users WHERE username = '$name'";
//run $SQL now
...
?>
If you want to store a text in a database and then print it on a web page, consider use htmlentities
[Edit]Or as awshepard said, you can use addslashes() and stripslashes() functions[/Edit]
Here is a little example of sanitization when it comes to prevent XSS attacks:
<?php
$str = "A 'quote' is <b>bold</b>";
//Outputs: A 'quote' is <b>bold</b>
echo $str;
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
回答4:
use
$input_var=sanitize_input($_POST);
and functions are below, almost sanitize everthing u need
function sanitize($var, $santype = 1){
if ($santype == 1) {return strip_tags($var);}
if ($santype == 2) {return htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8');}
if ($santype == 3)
{
if (!get_magic_quotes_gpc()) {
return addslashes(htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8'));
}
else {
return htmlentities(strip_tags($var),ENT_QUOTES,'UTF-8');
}
}
}
function sanitize_input($input,$escape_mysql=false,$sanitize_html=true,
$sanitize_special_chars=true,$allowable_tags='<br><b><strong><p>')
{
unset($input['submit']); //we use 'submit' variable for all of our form
$input_array = $input;
//array is not referenced when passed into foreach
//this is why we create another exact array
foreach ($input as $key=>$value)
{
if(!empty($value))
{
$input_array[$key]=strtolower($input_array[$key]);
//stripslashes added by magic quotes
if(get_magic_quotes_gpc()){$input_array[$key]=sanitize($input_array[$key]);}
if($sanitize_html){$input_array[$key] = strip_tags($input_array[$key],$allowable_tags);}
if($sanitize_special_chars){$input_array[$key] = htmlspecialchars($input_array[$key]);}
if($escape_mysql){$input_array[$key] = mysql_real_escape_string($input_array[$key]);}
}
}
return $input_array;
}
Remember : it will not sanitize multidimensional array, u need to modify it recursively.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 疯言疯语 的文章《PHP input sanitizer?》','https://www.manongdao.com/article-377092.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}