• 01666-222229
  • info@practicise.com
  • Sircl Tech Pvt. Ltd, Red Light Chowk, Sirsa
Search
Close this search box.
Course Content
PHP-Hypertext Preprocessor
0/5
What is PHP?
00:00
How to Install PHP?
00:00
PHP Structure
00:00
PHP Fundamentals
00:00
PHP Hello World!
00:00
Data Types
0/3
What is Data Types?
00:00
Different Types of Data Types?
00:00
PHP Heredoc , Type Casting and Type Juggling
00:00
Operators
0/3
What is Operators?
00:00
Examples of Operators?
00:00
Control Flow
00:00
Functions
0/6
What is Function?
00:00
What is the main purpose of using functions?
00:00
Function Parameters
00:00
What is Named Arguments?
00:00
Variable Scope and Type Hints
00:00
Strict Typing
00:00
Array
0/6
What is Array?
00:00
Different Types of Array?
00:00
Array destructuring and Sorting arrays
00:00
Advanced functions and Variable constructs?
00:00
Advanced Array Operations?
00:00
Organizing PHP Files?
00:00
State Management
0/1
State Management?
00:00
Processing Forms?
0/8
What is Processing Forms?
00:00
What is CSRF?
00:00
Flash messages and Post-Redirect-Get (PRG)
00:00
How to Upload multiple files?
00:00
what is Validation?
00:00
What is Sanitize input?
00:00
Filter input?
00:00
Password_hash() and Password_verify()?
00:00
Login System
0/1
What is Login System?
00:00
Working with Files?
0/7
Working with Files?
00:00
Check if a File Exists?
00:00
Read a file and Read a file into a string?
00:00
Read a file into an array?
00:00
Download a file and Copy a file?
00:00
Delete a file and Rename a file?
00:00
Work with CSV Files and File permissions?
00:00
Working with Directories?
0/2
How we can work with directories ?
00:00
What is pathinfo() function?
00:00
String Operations?
0/4
What are string operations?
00:00
implode() function and explode() function?
00:00
What is htmlspecialchars() function and ucfirst() function?
00:00
What is ucwords() function?
00:00
Regular Expressions?
0/1
What is regular expression?
00:00
PHP Date and Time?
0/1
What is PHP Date and Time ?
00:00
PHP
About Lesson

What is Sanitize input?

Sanitizing input is a crucial step in web development to ensure that data received from users is safe and does not pose security risks to the application. Sanitization involves cleaning and filtering user input to remove or neutralize potentially harmful characters or content. Here are some key techniques and considerations for sanitizing input in PHP:

HTML Entity Encoding:

  • Convert special characters to their corresponding HTML entities using functions like htmlspecialchars() or htmlentities().
  • This prevents XSS (Cross-Site Scripting) attacks by neutralizing HTML tags and preventing them from being executed in the browser.

// Example: HTML entity encoding

PHP
$unsafe_input = "<script>alert('XSS attack');</script>";

$safe_input = htmlspecialchars($unsafe_input);

echo $safe_input; // Output: <script>alert('XSS attack');</script>

Database Escaping:

  • Use prepared statements or parameterized queries with PDO or MySQLi to sanitize data before inserting it into the database.
  • Prepared statements automatically escape special characters in SQL queries, preventing SQL injection attacks.

// Example: Prepared statement with PDO

PHP
$stmt = $pdo->prepare("INSERT INTO users (username, password) VALUES (?, ?)");

$stmt->execute([$username, $password]);

Validation and Whitelisting:

  • Validate input against expected formats, lengths, and data types.
  • Use whitelists to allow only certain characters or patterns in input fields, rejecting anything else.

// Example: Validate email address format

PHP
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {

    // Valid email address

} else {

    // Invalid email address

}

File Uploads:

  • Use move_uploaded_file() to move uploaded files to a secure directory and sanitize the file name to remove any potentially malicious characters.
  • Check file types and sizes to prevent uploading of harmful files.

// Example: Sanitize uploaded file name

PHP
$filename = $_FILES['file']['name'];

$sanitized_filename = preg_replace("/[^a-zA-Z0-9\_\-\.]/", '', $filename);

Input Filtering:

  • Use PHP’s filter_var() function with appropriate filter types to validate and sanitize input data.
  • Filter input against predefined validation rules for email addresses, URLs, integers, and more.

// Example: Sanitize and validate email address

PHP
$sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL);

if (filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) {

    // Valid email address

} else {

    // Invalid email address

}

Avoid Trusting User Input:

  • Never trust user input and always assume it’s malicious until proven otherwise.
  • Validate and sanitize input at the earliest opportunity and before using it in any critical operations or outputs.

By implementing these sanitization techniques in your PHP applications, you can mitigate security risks associated with user input and ensure the integrity and safety of your application’s data and functionality.

Previous
Next